Executive Summary

The Qilin ransomware group, also known as Agenda, has recently escalated its threat profile by orchestrating sophisticated hybrid attacks that combine a Linux-based ransomware payload with a Bring Your Own Vulnerable Driver (BYOVD) exploit. This dual-pronged approach enables adversaries to target both Windows and Linux environments, bypassing traditional endpoint defenses and maximizing operational disruption. The group’s latest campaigns leverage cross-platform payload delivery, advanced defense evasion, and credential harvesting, with a particular focus on critical infrastructure, backup systems, and remote management tools. This advisory provides a comprehensive technical breakdown of the attack chain, threat actor profile, exploitation in the wild, victimology, and actionable mitigation strategies for Rescana customers.

Threat Actor Profile

Qilin (also tracked as Agenda, Gold Feather, and Water Galura) operates as a ransomware-as-a-service (RaaS) syndicate, recruiting affiliates to execute attacks using a shared toolkit. The group emerged in 2022 and has since demonstrated rapid innovation, particularly in 2025, by integrating cross-platform payloads and leveraging BYOVD techniques for defense evasion. Qilin’s affiliates are known for their technical proficiency, often utilizing advanced social engineering, credential theft, and lateral movement tactics. The group’s monetization model is based on double extortion, combining data encryption with threats of public data leaks. Qilin’s infrastructure and TTPs show overlap with other high-profile ransomware groups, but its hybrid Linux payload and BYOVD exploitation set it apart as a leading-edge threat actor in the current landscape.

Technical Analysis of Malware/TTPs

The Qilin attack chain is characterized by a modular, multi-stage approach that exploits both human and technical vulnerabilities across enterprise environments.

Initial access is typically achieved through spear-phishing campaigns that deploy information stealers via fake CAPTCHA pages hosted on Cloudflare R2 infrastructure. These phishing lures, such as hxxps://pub-959ff112c2eb41ce8f7b24e38c9b4f94[.]r2[.]dev/Google-Captcha-Continue-Latest-J-KL-3[.]html, are engineered to harvest credentials, cookies, and authentication tokens. In parallel, Qilin affiliates also leverage compromised credentials sourced from dark web marketplaces to gain access to VPNs, RDP endpoints, and domain controllers.

Once inside the network, the attackers escalate privileges and establish persistence by creating rogue administrative accounts (e.g., Supportt) and deploying legitimate remote monitoring and management (RMM) tools such as AnyDesk, ScreenConnect, Atera, and Splashtop. These tools are often installed via automated scripts or through existing RMM infrastructure, allowing the attackers to blend in with legitimate IT operations and evade detection.

Credential access is further expanded by targeting backup infrastructure, particularly Veeam Backup & Replication. Attackers use PowerShell scripts to extract credentials directly from the Veeam SQL database, executing queries like SELECT [user_name], [password] FROM [VeeamBackup].[dbo].[Credentials]. This enables lateral movement and access to privileged accounts across the environment.

A critical innovation in Qilin’s methodology is the use of the BYOVD technique. The attackers deploy vulnerable, often legitimately signed drivers such as eskle.sys, rwdrv.sys, and hlpdrv.sys to disable endpoint detection and response (EDR) and antivirus (AV) solutions at the kernel level. These drivers are loaded using custom loaders (e.g., 2stX.exe, Or2.exe) and are sometimes dropped via DLL sideloading, exploiting trusted applications like Foxit PDF Reader by placing a malicious msimg32.dll in the application directory.

For command and control (C2), Qilin leverages the COROXY SOCKS proxy, deploying malicious DLLs such as socks64.dll into trusted directories (C:\ProgramData\Veeam\, C:\ProgramData\VMware\logs\, C:\ProgramData\Adobe\). This allows the attackers to obfuscate outbound C2 traffic and maintain stealthy communications with their infrastructure, including C2 servers like 146.70.104.163:4396.

Payload delivery is executed with precision. The Linux ransomware binary is transferred to Windows hosts using WinSCP and then executed via Splashtop Remote’s SRManager.exe, bypassing Windows-centric security controls. The Linux payload is highly configurable, supporting command-line options for debugging, logging, whitelisting, and encryption control. It is password-protected to prevent unauthorized execution and is designed to target both Windows and Linux systems, including VMware ESXi and Nutanix AHV hypervisors. The ransomware avoids encrypting critical system directories to maintain system stability and maximize ransom leverage.

Anti-analysis features are embedded throughout the attack chain, including virtual machine detection, process termination routines, and anti-debugging mechanisms. The ransomware drops a standard ransom note with victim-specific credentials for negotiation, reinforcing the double extortion model.

Exploitation in the Wild

Qilin’s hybrid attack campaigns have been observed in the wild since early 2025, with a marked increase in activity during the second and third quarters. The group has claimed responsibility for over 700 victims globally, with a peak of 100 cases in June 2025. The attacks are notable for their focus on critical infrastructure, manufacturing, technology, financial services, and healthcare sectors. Qilin’s ability to target both Windows and Linux environments, including virtualized infrastructure, has enabled it to disrupt operations at scale and demand higher ransom payments.

The exploitation of backup systems, particularly Veeam, is a recurring theme, as it allows the attackers to inhibit system recovery and increase the pressure on victims to pay. The use of BYOVD to disable EDR/AV solutions has been confirmed in multiple incidents, with forensic analysis revealing the presence of vulnerable drivers and associated loader binaries. The deployment of COROXY SOCKS proxies has also been documented, with malicious DLLs found in directories associated with trusted enterprise software.

Victimology and Targeting

Qilin’s targeting is opportunistic but shows a clear preference for organizations with hybrid Windows/Linux environments, extensive use of RMM tools, and reliance on virtualized infrastructure. The most affected sectors include manufacturing, technology, financial services, and healthcare, with a geographic focus on the United States, France, Canada, the United Kingdom, Germany, and Japan. The group’s attacks are characterized by rapid lateral movement, comprehensive credential harvesting, and the systematic disabling of security controls. Victims often report the simultaneous encryption of Windows and Linux systems, including virtual machines hosted on VMware ESXi and Nutanix AHV, as well as the compromise of backup repositories.

Mitigation and Countermeasures

To defend against Qilin’s hybrid ransomware attacks, organizations should implement a multi-layered security strategy that addresses both technical and procedural vulnerabilities.

Continuous monitoring for the loading of unsigned or unexpected drivers is essential, with a particular focus on eskle.sys, rwdrv.sys, hlpdrv.sys, and fnarw.sys. Endpoint protection platforms should be configured to block the installation of non-approved drivers and to alert on attempts to load known vulnerable drivers.

The use of RMM tools such as AnyDesk, ScreenConnect, Atera, and Splashtop should be tightly controlled and restricted to authorized hosts and personnel. Regular audits of RMM deployments and associated access logs can help detect unauthorized installations or usage.

Organizations should monitor for the execution of Linux binaries on Windows systems, especially when initiated via remote management tools. Application whitelisting and behavioral analytics can help identify anomalous execution patterns indicative of cross-platform payload delivery.

Backup infrastructure, particularly Veeam, should be hardened and segmented from the main production network. Credentials for backup systems should be rotated regularly, and access should be limited to essential personnel. Monitoring for suspicious PowerShell or SQL activity targeting backup databases is recommended.

Threat hunting teams should search for the presence of COROXY SOCKS proxy DLLs in trusted software directories, as well as for the creation of suspicious administrative accounts such as Supportt. Outbound network connections to known C2 IPs, including 146.70.104.163:4396, should be blocked at the firewall.

User awareness training should be reinforced to mitigate the risk of phishing-based initial access, and multi-factor authentication should be enforced for all remote access points.

References

The Hacker News: Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack

Trend Micro: Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

Security Affairs: Linux variant of Qilin Ransomware targets Windows via remote management tools and BYOVD

CSO Online: Cross-platform ransomware: Qilin weaponizes Linux binaries against Windows hosts

MITRE ATT&CK: Bring Your Own Vulnerable Driver (T1562.006)

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations proactively identify vulnerabilities and respond to emerging threats. For more information about how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.