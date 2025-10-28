news
Low-grade Publishers Try to Blame "Linux" for Windows TCO
Hacker News ☛ Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack
The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June.
The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for 84 victims each in the months of August and September 2025. The Russian-speaking threat group emerged around July 2022.
Dark Reading ☛ Qilin Targets Windows Hosts With Linux-Based Ransomware
The Quilin ransomware group has attacked Windows hosts using a Linux-based binary in a cross-platform attack that can evade Windows-centric detections and security solutions, including conventional endpoint detection and response (EDR) platforms.
Trend Micro identified the unique attack from the group, which Trend Micro tracks as "Agenda" and considers it as one of the most impactful ransomware groups currently active. In the attack, Qilin deployed the Linux-based ransomware binary on Windows hosts by abusing legitimate remote management and file transfer tools — specifically, AnyDesk, ATERA Networks’ remote monitoring and management (RMM) platform, and ScreenConnect.
The group "utilized a novel deployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines," Trend Micro researchers wrote in a blog post published Friday.
CSO ☛ Cross-platform ransomware: Qilin weaponizes Linux binaries against Windows hosts
Agenda ransomware group, popularly known as Qilin, has been abusing legitimate remote management and file transfer tools, security researchers revealed in a new disclosure. By deploying a Linux-based ransomware binary on Windows hosts, the threat actor has affected more than 700 victims since January 2025.
According to Trend Micro findings, the cross-platform execution sidesteps Windows-centric detections and security solutions, including conventional endpoint detection and response platforms. The technique used by the Agenda ransomware group can also disable recovery options through the targeted theft of backup credentials and by Bring Your Own Vulnerable Driver (BYOVD) attack to neutralize endpoint defenses.
“Agenda’s campaign is dangerous because it fuses cross-platform execution with remote-management abuse and driver-level tampering. Running a Linux encryptor through Windows remote tools and using BYOVD to kill EDR creates a potent, detection-resistant mix,” said Chirag Mehta, vice president and principal analyst at Constellation Research.
Security Affairs ☛ Linux variant of Qilin Ransomware targets Windows via remote management tools and BYOVD
Trend Research found that the Qilin ransomware group (aka Agenda) used a Linux ransomware binary on Windows systems via legitimate remote tools, bypassing Windows defenses and EDRs. The cross-platform method enables stealthy attacks, stealing backup credentials and disabling endpoint protections through BYOVD exploits.
The Linux ransomware was deployed on Windows systems using WinSCP for secure file transfer and Splashtop Remote for executing the ransomware binary. The attackers abused AnyDesk via ATERA RMM, ScreenConnect, and MeshCentral to evade detection, and used BYOVD for defense evasion. Attackers also stole Veeam backup credentials to block recovery. Trend Micro highlights that the cross-platform tactic bypasses Windows defenses, showing evolving attacker sophistication.
“This attack challenges traditional Windows-focused security controls.” reads the report published by Trend Micro. “The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels.”