The Qilin ransomware group, also known as Agenda, has developed a hybrid attack using Linux payloads on Windows hosts to evade detection. By abusing legitimate remote management tools and exploiting vulnerable drivers, attackers disable defenses and target backups. This cross-platform tactic highlights evolving ransomware sophistication.
The Qilin ransomware operation, active since 2022, has emerged as one of the most prolific ransomware-as-a-service groups in 2025, claiming over 40 victims monthly and peaking at 100 in June, according to Trend Micro's analysis. In a recent campaign detailed by security researchers, Qilin deployed a Linux ransomware binary on Windows systems via trusted tools like WinSCP for file transfer and Splashtop Remote for execution, bypassing traditional Windows-focused endpoint detection and response (EDR) systems.
Attackers gained initial access through fake Google CAPTCHA pages hosted on Cloudflare R2, which delivered obfuscated JavaScript leading to info-stealers that harvested credentials from command-and-control servers at 45.221.64.245/mot/ and 104.164.55.7/231/means.d. These stolen accounts enabled lateral movement, with reconnaissance conducted using ScreenConnect commands such as 'nltest /domain_trusts' and 'net group "domain admins" /domain'.
To maintain persistence, Qilin installed AnyDesk through ATERA RMM and ScreenConnect, disguising activity as administrative tasks. Defense evasion relied on bring-your-own-vulnerable-driver (BYOVD) techniques, loading signed drivers like eskle.sys—repurposed from a Chinese game vendor—and others such as rwdrv.sys and hlpdrv.sys via sideloaded DLLs like msimg32.dll executed by legitimate apps such as FoxitPDFReader.exe. These drivers performed VM checks, killed security processes, and terminated EDR tools.
A key focus was credential theft from Veeam backup infrastructure using Base64-encoded PowerShell scripts to extract usernames and passwords from SQL tables including Credentials, BackupRepositories, and WinServers. This allowed access to domain controllers, Exchange servers, and SQL databases. Lateral movement extended to Linux hosts via renamed PuTTY binaries like test.exe and 1.exe for SSH connections.
The Linux encryptor, requiring a password to run, whitelists processes, blocks file extensions, and excludes core directories, with updates adding Nutanix AHV detection. Distributed COROXY SOCKS proxies hidden in folders for Veeam, VMware, Adobe, and USOShared ensured resilient command-and-control.
"This attack challenges traditional Windows-focused security controls," Trend Micro reported. "The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels." The tactic, also noted by Cisco Talos, underscores the need for visibility into RMM tools and hybrid environments to counter such low-noise operations.
