Qilin (Agenda) Ransomware Deploys Linux Binaries on Windows via Remote Management Tools
The Qilin ransomware group, also known as Agenda, has adopted a sophisticated cross-platform attack strategy by deploying Linux-based ransomware binaries on Windows systems. This technique leverages legitimate remote management and file transfer tools such as Splashtop, WinSCP, AnyDesk, ATERA RMM, ScreenConnect, and MeshCentral to bypass traditional Windows-centric endpoint detection and response (EDR) solutions. Attackers gain initial access through social engineering, including fake CAPTCHA pages, and use credential theft to facilitate lateral movement and privilege escalation. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security defenses and steals backup credentials, particularly from Veeam, to prevent recovery and maximize extortion leverage.
Qilin's operations have impacted over 700 victims globally since January 2025, with a focus on sectors such as manufacturing, professional and scientific services, and wholesale trade. The group uses a double-extortion model, exfiltrating sensitive data with tools like Cyberduck before encrypting files and threatening public disclosure. Qilin's affiliates have been observed using a variety of post-exploitation tools, including Mimikatz and custom scripts, to harvest credentials and exfiltrate data. The group's rapid evolution and ability to evade detection highlight the growing sophistication of ransomware-as-a-service (RaaS) operations targeting organizations worldwide.
Timeline
Oct 28, 2025
BleepingComputer reports Qilin abusing WSL to run Linux encryptors on Windows
On October 28, 2025, BleepingComputer reported that Qilin was abusing the Windows Subsystem for Linux to execute Linux encryptors on Windows hosts. The report highlighted a cross-platform evasion technique that helped the ransomware bypass Windows-focused security tooling.
Oct 27, 2025
Trend Micro details hybrid Qilin attack using Linux payload on Windows
Reporting published on October 27, 2025 described a sophisticated Qilin attack chain in which operators used legitimate remote management tools, a Linux-based encryptor on Windows, and BYOVD techniques involving the eskle.sys driver to disable defenses. The same activity also targeted Veeam backup infrastructure and included newer samples with Nutanix AHV detection.
Oct 27, 2025
Researchers document Qilin intrusions using leaked VPN credentials and RDP
Across multiple investigated cases in 2025, Talos assessed with moderate confidence that some Qilin affiliates gained initial access using leaked administrative credentials to VPNs without MFA, then expanded access through RDP and possible Group Policy changes. The intrusions also involved discovery, credential theft, persistence, exfiltration, and log and shadow-copy deletion before encryption.
Aug 1, 2025
Qilin posts another near-peak wave of victims in August
Talos observed Qilin's leak-site activity surge again in August 2025 to near the June peak, with other reporting noting 84 victims in both August and September. The repeated spike indicated sustained large-scale operations rather than a one-off burst.
Jun 1, 2025
Qilin leak-site activity rises sharply in 2025
Cisco Talos reported that Qilin, formerly known as Agenda, maintained more than 40 leak-site victim postings per month through much of 2025, with a peak of about 100 postings in June. The activity showed the group had become one of the most active ransomware operations in the second half of the year.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
3 more from sources like securityaffairs, cso online and the hacker news
Related Stories
Qilin Ransomware's Surge and High-Profile Attacks on Global Organizations
The Qilin ransomware group has emerged as one of the most prolific ransomware operations, claiming responsibility for over 500 attacks in the past six months and targeting major organizations worldwide. Notably, Qilin has allegedly stolen 10 GB of data from International Game Technology (IGT), a multinational provider in the gaming and fintech sectors, with over 21,000 files reportedly exfiltrated. The group has also targeted other high-profile victims, including Cornerstone Staffing Solutions, Spark Power, and Habib Bank AG Zurich, and is known to collaborate with other ransomware operations such as DragonForce and LockBit. Qilin, along with Akira and INC, accounted for 65% of ransomware attacks in Q3 2025, with a significant portion of these incidents facilitated by compromised VPN credentials. Ransomware activity has seen a marked increase globally, with leak posts rising by 11% over the previous quarter and a surge in attacks reported in October. Attackers are increasingly exploiting vulnerabilities in VPNs and external services, and the prevalence of zero-day vulnerabilities has also grown, with notable bugs affecting Citrix NetScaler, CrushFTP, and Microsoft SharePoint. Security experts recommend organizations implement multi-factor authentication and strengthen vulnerability management practices to mitigate the escalating ransomware threat landscape.
1 months ago
Qilin Ransomware Operations Supported by Bulletproof Hosting Networks
Qilin, a sophisticated ransomware-as-a-service (RaaS) operation, has emerged as a significant threat actor in the global cybercrime landscape, leveraging bulletproof hosting (BPH) infrastructures to facilitate its extortion campaigns. The group, which initially operated under the name "Agenda" before rebranding to Qilin in 2022, utilizes BPH providers that are strategically located in pro-secrecy jurisdictions and structured through complex networks of anonymous shell companies. These hosting services are designed to be resilient against abuse complaints and law enforcement actions, enabling Qilin to conduct prolonged and undisturbed ransomware operations. Qilin's ransomware variants are written in both Golang and Rust, and the group is known to gain initial access to victim networks through spear phishing campaigns, as well as by exploiting Remote Monitoring and Management (RMM) tools and other common attack vectors. The group practices double extortion, demanding ransom payments not only to decrypt data but also to prevent the public release of stolen information. In a recent high-profile attack, Qilin claimed responsibility for a ransomware incident that severely disrupted operations and manufacturing at Asahi Group Holdings, a major Japanese brewing conglomerate, for nearly two weeks. Following this attack, Qilin attempted to sell the stolen Asahi data for $10 million USD, directly contacting the victim to increase pressure and bypass intermediaries. On October 15, Qilin announced a new wave of victims, including the Spanish Tax Administration Agency, Centurion Family Office Services LLC in the USA, Rasi Laboratories, Victory Christian Center in Tulsa, Richmond Behavioral Health Authority, Turnkey Africa, and Charles River Properties. The diversity of these targets demonstrates Qilin's broad targeting strategy, affecting organizations across government, healthcare, finance, manufacturing, and religious sectors. The use of bulletproof hosting is a critical enabler for Qilin, allowing the group to maintain its infrastructure and evade takedown efforts. Investigations by Resecurity have included direct engagement with Qilin operators, providing insights into their tactics and extortion strategies. The resilience of Qilin's infrastructure, combined with their aggressive extortion methods, poses a significant ongoing threat to organizations worldwide. The group's ability to quickly announce and publicize new victims further amplifies the pressure on targeted entities to comply with ransom demands. Qilin's operations highlight the persistent challenge posed by RaaS groups that exploit global hosting networks to sustain and expand their criminal enterprises. The continued evolution of Qilin's tactics and infrastructure underscores the need for robust cybersecurity defenses and international cooperation to disrupt such threat actors. Organizations are urged to remain vigilant against spear phishing and to monitor for unauthorized use of RMM tools, which are common entry points for Qilin attacks. The ongoing activity of Qilin demonstrates the critical role of bulletproof hosting in enabling large-scale ransomware campaigns and the importance of targeting these infrastructures in law enforcement efforts.
1 months ago
Qilin Ransomware Uses DLL Sideloading to Disable 300+ EDR Drivers
Cisco Talos reported that the **Qilin** ransomware operation is using a multi-stage infection chain built around a malicious side-loaded `msimg32.dll` to blind defenses before later-stage payloads run. The attack can begin when a legitimate application such as **FoxitPDFReader.exe** loads the rogue DLL, which forwards expected API calls to the real Windows library to avoid suspicion while decrypting and executing additional payloads entirely in memory. Researchers said the loader employs layered evasion, including **SEH/VEH-based control-flow obfuscation**, indirect syscall recovery similar to **Halo’s Gate**, **ETW suppression**, anti-debugging checks, and geofencing that avoids systems configured for post-Soviet locales. In the final stage, the malware deploys an **EDR killer** that can disable more than **300** endpoint security drivers by abusing two helper drivers, `rwdrv.sys` and `hlpdrv.sys`. Talos said the tooling uses physical memory access, kernel object manipulation, termination of protected EDR processes, and removal of kernel callbacks used for monitoring; it also temporarily interferes with **Code Integrity** checks before restoring the `CiValidateImageHeader` callback. The campaign shows Qilin—also tracked as **Agenda**, **Gold Feather**, and **Water Galura**—continuing to target the defense stack itself early in execution, giving ransomware operators a better chance of deploying encryption and follow-on payloads without detection.
3 weeks ago