Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Advanced Hybrid Attack

The Qilin ransomware group has intensified operations in 2025, claiming over 40 victims monthly and peaking at 100 in June, while recently deploying a sophisticated hybrid attack that combines Linux payloads on Windows systems with legitimate IT tools and bring-your-own-vulnerable-driver techniques to evade security measures.

Qilin, also known as Agenda, Gold Feather, and Water Galura, has emerged as one of the most prolific ransomware-as-a-service operations, with August and September 2025 each recording 84 victims. The Russian-speaking threat group, active since July 2022, has primarily targeted manufacturing, professional services, and wholesale trade sectors across the United States, Canada, United Kingdom, France, and Germany.

Attack Methodology and Techniques

Cisco Talos researchers uncovered that Qilin affiliates gain initial network access through leaked administrative credentials purchased on the dark web. The attackers typically follow a systematic approach to compromise systems:

"The actors leverage VPN interfaces for initial access, then perform RDP connections to domain controllers and compromised endpoints," explains the Talos report. "This gives them the foothold needed for system reconnaissance and network mapping."

Once inside, the attackers deploy credential harvesting tools including Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to extract sensitive authentication data from various applications. The stolen credentials enable privilege escalation and lateral movement across the victim's network.

To maintain persistence, Qilin operators install multiple Remote Monitoring and Management (RMM) tools such as:

• AnyDesk
• Chrome Remote Desktop
• Distant Desktop
• GoToDesk
• QuickAssist
• ScreenConnect

The attackers employ sophisticated evasion techniques, including PowerShell commands that disable Antimalware Scan Interface (AMSI), turn off TLS certificate validation, and enable Restricted Admin mode. They also use specialized tools like dark-kill and HRSword to terminate security software processes.

Organizations should understand how ransomware operations function and evolve over time to better prepare their defenses against these sophisticated threats.

The Linux-Windows Hybrid Approach

Trend Micro recently discovered a particularly advanced Qilin attack that demonstrates the group's evolution in tactics. The attack combines their Linux ransomware variant with Windows exploitation techniques.

"What makes this attack unique is how the threat actors deployed a Linux ransomware binary directly on Windows systems," notes Trend Micro's report. "The attackers used Splashtop Remote's management service to execute the Linux payload, effectively creating a cross-platform attack capability."

This hybrid approach included several noteworthy elements:

1. Exploitation of legitimate IT tools, including AnyDesk through Atera Networks' RMM platform
2. Targeted compromise of Veeam backup infrastructure using specialized credential extraction tools
3. Deployment of SOCKS proxy DLLs for remote access and command execution
4. Use of the "eskle.sys" driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable security solutions
5. Execution of the Linux ransomware binary on Windows systems through Splashtop

The Linux ransomware binary provides versatility, allowing attackers to impact both Windows and Linux systems with a single payload. Recent samples have incorporated Nutanix AHV detection, expanding targeting beyond traditional VMware environments to include hyperconverged infrastructure platforms.

Technical Indicators of Compromise

Security teams should monitor for the following indicators that may signal a Qilin attack in progress:

• Unauthorized installation of multiple RMM tools
• PowerShell commands that disable security features
• Presence of the "eskle.sys" driver in unexpected locations
• Unusual Linux binary executions on Windows systems
• Connections to known command and control servers

Early detection of these indicators can help organizations interrupt the attack chain before encryption occurs.

Initial Access and Data Theft

Qilin has diversified its initial access methods beyond credential theft. Some attacks have employed spear-phishing emails and fake CAPTCHA pages hosted on Cloudflare R2 infrastructure, delivering information stealers that harvest credentials for network access.

Before encrypting files, the attackers conduct extensive data theft operations. They use legitimate tools like mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information, and Cyberduck to transfer valuable data to remote servers.

"Commands executed via Mimikatz targeted a range of sensitive data, including clearing Windows event logs, extracting saved passwords from Chrome's SQLite database, and harvesting credentials related to RDP, SSH, and Citrix," according to Talos researchers.

Modern organizations implementing secure BYOD policies and robust device management solutions may have additional protection layers against these types of credential theft attacks.

Data Exfiltration Tactics

Qilin's data theft operations are methodical and comprehensive. The group prioritizes:

• Financial records and accounting databases
• Customer and employee personally identifiable information
• Intellectual property and trade secrets
• Email correspondence containing sensitive information
• Authentication credentials stored in various applications

This stolen data serves as leverage in double-extortion schemes, where victims face both the threat of encryption and public data leaks if ransoms aren't paid.

Encryption and Ransom Demands

The final stage of a Qilin attack involves deploying the ransomware payload, which encrypts files and drops ransom notes in each encrypted folder. Before encryption begins, the attackers methodically:

1. Wipe event logs to erase evidence of their activities
2. Delete all shadow copies maintained by Windows Volume Shadow Copy Service
3. Disable backup systems to prevent recovery

This systematic destruction of backup capabilities demonstrates Qilin's sophistication and understanding of enterprise disaster recovery approaches. By specifically targeting backup infrastructure like Veeam and harvesting credentials from multiple backup databases, they maximize the pressure on victims to pay ransoms.

Organizations facing encryption should follow established ransomware incident response protocols to minimize damage and facilitate recovery rather than rushing to pay the ransom.

Protecting Your Organization

Organizations can implement several measures to protect against Qilin and similar ransomware threats:

1. Implement multi-factor authentication on all VPN and remote access solutions
2. Regularly audit and rotate administrative credentials
3. Monitor for unusual RMM tool installations and unauthorized remote access sessions
4. Maintain offline backups that cannot be accessed from the production network
5. Deploy endpoint detection solutions that can identify BYOVD techniques
6. Implement network segmentation to limit lateral movement capabilities
7. Conduct regular security awareness training focused on identifying phishing attempts
8. Establish an incident response plan specifically addressing ransomware scenarios

The increasing sophistication of Qilin's approach, particularly the cross-platform capabilities demonstrated in recent attacks, highlights the evolving nature of ransomware threats. As these threat actors continue refining their techniques, organizations must adapt their security postures accordingly.

By understanding Qilin's attack patterns, security teams can better prepare detection and prevention strategies focused on the initial access methods, lateral movement techniques, and backup targeting that characterize these attacks.

According to the CISA Ransomware Guide, implementing a defense-in-depth strategy that combines technical safeguards with organizational policies and user education provides the most effective protection against sophisticated ransomware operations like Qilin.