Qilin ransomware posted a multi-victim batch on June 8 listing at least six organizations, five of which had not been previously disclosed publicly. The batch spans automotive manufacturing, performing arts, healthcare, education, and satellite telecommunications — a cross-sector targeting pattern that reflects Qilin’s indiscriminate approach to victim selection under its ransomware-as-a-service affiliate model.
Isuzu Motors and Opéra Comique Among Qilin’s Latest Cross-Sector Victim Batch
The five newly identified organizations in Qilin’s June 8 posting represent a geographically distributed set of targets: Isuzu Motors in Thailand, the historic Paris opera house Opéra Comique in France, Australian private healthcare and rehabilitation provider The Banyans Health and Wellness, Australian education services company Kinetic Education, and US satellite communications firm SatCom CX.
The batch spans organizations in Thailand, France, Australia, and the United States across five distinct industry sectors. No single vertical dominates the victim list, which is consistent with Qilin’s documented pattern of targeting whatever organizations its affiliate network successfully compromises rather than pursuing any sector-specific campaign strategy.
Opéra Comique’s Listing Marks a Prominent Cultural Institution Among Qilin’s June Targets
Opéra Comique is a state-subsidized performing arts institution with a history stretching back centuries in Paris. Its appearance on a ransomware leak site alongside automotive manufacturers and satellite communications companies illustrates the breadth of Qilin’s affiliate-driven operations. Cultural institutions have increasingly appeared in ransomware disclosures — their combination of valuable digital archives, donor and patron data, and limited cybersecurity resources makes them attractive targets for financially motivated groups regardless of their public profile.
Banyans Health, Kinetic Education, and SatCom CX as Qilin’s Remaining Named Victims
The Banyans Health and Wellness is a private Australian healthcare and rehabilitation provider — a sector that remains a high-value ransomware target due to the sensitivity of patient records and the operational pressure facilities face to restore systems quickly. Kinetic Education is an Australian education services provider; education has seen sustained ransomware attention in recent years. SatCom CX, a US satellite communications company, represents the telecommunications and critical infrastructure segment within this batch.
None of the five organizations has publicly confirmed a breach as of Qilin’s June 8 posting. Qilin’s leak site postings typically precede or accompany ransom negotiations and are used as leverage to compel payment by threatening public data release.
How Qilin’s RaaS Affiliate Structure Sustains Its High-Cadence Multi-Sector Posting
The June 8 batch represents the sixth set of victims Qilin has posted since June 1 — an elevated cadence that reflects the operational tempo of an active ransomware-as-a-service operation. In a RaaS model, Qilin provides the ransomware infrastructure and handles negotiations and payments while independent affiliates conduct the actual intrusions. The diversity of victim sectors in any given batch reflects the diverse industries that different affiliates target independently of one another.
Qilin’s Automotive and Satellite Telecommunications Targets Extend Its Cross-Sector Reach
Isuzu Motors Thailand and SatCom CX add two sectors — automotive manufacturing and satellite telecommunications — that represent significant operational and supply chain dependencies when disrupted. Automotive manufacturers typically rely on interconnected supplier and logistics systems, meaning ransomware-induced outages at a manufacturing entity can create cascading delays. Satellite communications providers handle network services that may underpin other organizations’ connectivity, amplifying the potential downstream effects of any extended outage.
Qilin first gained significant attention through attacks on healthcare and critical infrastructure targets and has maintained a consistent posting cadence throughout 2026. The June 8 batch, as the sixth disclosure cluster in under ten days, confirms that Qilin’s affiliate network remains operationally active at a level that produces multi-victim disclosures on a near-daily basis. None of the five named victims in this batch fall within sectors or geographies that Qilin has historically avoided — the group’s affiliates appear to select targets based on access opportunity rather than any sector or geographic restriction.
