Qilin Targets Windows Hosts With Linux-Based Ransomware
Summary
Trend Micro has reported that the Qilin (aka Agenda) ransomware operation deployed a Linux-based ransomware binary onto Windows hosts by abusing legitimate remote management and file-transfer tools. The attackers used AnyDesk, ATERA RMM, ScreenConnect, WinSCP and Splashtop to deliver and execute the payload, and specifically targeted Veeam backup systems to steal credentials and cripple recovery options. The intrusion chain began with sophisticated social engineering that used Cloudflare R2-hosted fake CAPTCHA pages to deliver an infostealer, enabling credential harvesting and MFA bypass. Qilin also leverages BYOVD (bring your own vulnerable driver) techniques to neutralise endpoint defences. The group operates as a RaaS double-extortion actor and has hit hundreds of organisations across multiple sectors and countries in 2025.
Key Points
- Qilin deployed a Linux ransomware binary on Windows machines via remote management and file-transfer tools (AnyDesk, ATERA, ScreenConnect, WinSCP, Splashtop).
- Attackers targeted Veeam backup infrastructure to harvest credentials and undermine disaster recovery before encrypting data.
- Initial access relied on social engineering: fake CAPTCHA pages hosted on Cloudflare R2 delivered an infostealer to steal tokens, cookies and stored credentials.
- Threat actors bypassed MFA and used legitimate sessions to move laterally, indicating credential harvesting rather than direct exploitation.
- BYOVD techniques were used to evade Windows-centric EDR products by executing a Linux binary in a Windows environment.
- Qilin is a high-volume RaaS double-extortion operation with hundreds of victims worldwide and has allied with other ransomware groups to form a cartel.
Context and relevance
This campaign highlights a growing trend: attackers using cross-platform binaries and legitimate remote tools to defeat security controls tuned only for Windows artefacts. Organisations that run hybrid Windows/Linux environments, centralised backup solutions or remote access platforms are at elevated risk. The attack shows that backup systems and credential/token protection are now core parts of ransomware resilience, and defenders must widen telemetry and detection to include both Windows and Linux behaviours executed via RMM channels.
Why should I read this?
Short version: if you run backups, RMM tools or a mixed Windows/Linux estate, this matters. Qilin’s trick of running a Linux payload on Windows through everyday admin tools is the sort of sideways, low-noise move that will slip past teams who only look for classic Windows ransomware. Read it so you can patch gaps before someone else tests your disaster recovery for you.
Author style
Punchy take: this isn’t a niche curiosity — it’s a deliberate evasion play from one of 2025’s most active RaaS gangs. The detail matters: targeted backup credential theft, MFA bypass via harvested tokens, and cross-platform execution change the defensive checklist. If you care about recoverability and endpoint visibility, act on the recommendations below.
Suggested actions (brief)
- Restrict and monitor RMM and remote-access tools to authorised hosts and admin accounts.
- Harden backup infrastructure, separate backup admin credentials and monitor for abnormal access to backup systems.
- Deploy phishing-resistant MFA and protect tokens/privileged sessions from theft.
- Extend EDR and SOC playbooks to capture Linux telemetry and cross-platform execution via RMM channels.