The Qilin ransomware group has been observed exploiting the Windows Subsystem for Linux (WSL) to execute Linux-based encryptors directly on Windows systems, bypassing traditional security tools. This technique allows the malware to evade detection by endpoint detection and response (EDR) products focused on Windows behaviors. Cybersecurity firms Trend Micro and Cisco Talos detailed the method in recent research.
The Qilin ransomware operation, which first emerged as 'Agenda' in August 2022 and rebranded to Qilin the following month, has grown into one of the most active cyber threats worldwide. According to research from Trend Micro and Cisco Talos, the group targeted over 700 victims across 62 countries in 2025, publishing more than 40 new victims monthly during the second half of the year.
Qilin affiliates typically breach networks using legitimate remote access tools like AnyDesk, ScreenConnect, and Splashtop, alongside data exfiltration software such as Cyberduck and WinRAR. They also leverage built-in Windows utilities, including Microsoft Paint (mspaint.exe) and Notepad (notepad.exe), to scan documents for sensitive information.
Before deploying encryptors, attackers disable security software through Bring Your Own Vulnerable Driver (BYOVD) tactics. They deploy signed but vulnerable drivers like eskle.sys to terminate antivirus and EDR processes, and use DLL sideloading to install kernel drivers such as rwdrv.sys and hlpdrv.sys for elevated privileges. Tools including 'dark-kill' and 'HRSword' further neutralize defenses and erase malicious traces. 'Talos observed traces of attempts to disable EDR using multiple methods,' Cisco Talos explained. 'Broadly speaking, we have frequently observed commands that directly execute the EDR's 'uninstall.exe' or attempt to stop services using the sc command. At the same time, attackers have also been observed running open-source tools such as dark-kill and HRSword.'
A notable evolution involves Qilin's Linux encryptor, first reported in December 2023 for targeting VMware ESXi environments. Trend Micro observed affiliates transferring the Linux ELF encryptor via WinSCP and launching it through Splashtop's SRManager.exe on Windows machines. Since ELF binaries cannot run natively on Windows, the actors enable or install WSL—a built-in feature for running Linux distributions within Windows—to execute the payload. 'In this case, the threat actors were able to run the Linux encryptor on Windows systems by taking advantage of the Windows Subsystem for Linux (WSL), a built-in feature that allows Linux binaries to execute natively on Windows without requiring a virtual machine,' Trend Micro told BleepingComputer. This approach exploits hybrid environments, as many Windows EDR tools overlook WSL activity, enabling broader evasion.