Windows and Linux Taken Hostage by Qilin

From a shadowed corner of the ransomware-as-a-service (RaaS) landscape, Qilin — also known as Agenda, Gold Feather, and Water Galura — has become one of 2025’s most relentless hostage-takers. Over the past year, its affiliates have struck with increasing ferocity, reaching nearly 100 leak-site victims by June alone.

What sets this campaign apart is its hybrid nature: Qilin’s operators have managed to weaponize a Linux ransomware binary to also encrypt Windows systems, combining leaked credentials, phishing, and a BYOVD exploit to breach both worlds at once.

Phase 1 — Recon & Initial Access 

The campaign begins where many modern breaches do: with credentials already stolen or socially engineered. Affiliates often purchase or harvest admin credentials on dark-web marketplaces, or obtain them through spear-phishing campaigns and fake CAPTCHA/ClickFix lures that trick victims into executing malicious scripts.

Once inside, attackers leverage VPN and RDP sessions to reach critical endpoints and domain controllers, establishing persistence through existing infrastructure rather than noisy exploits.

• Entry vectors: stolen VPN/RDP credentials, spear-phishing emails, fake CAPTCHA/ClickFix pages hosted on Cloudflare R2.

• Primary tools: Mimikatz, WebBrowserPassView, SharpDecryptPwd for credential dumping and lateral movement.

• Goal: reach privileged systems without detection, often using legitimate logins from compromised administrators.

Phase 2 — Credential Harvesting & Lateral Movement

Once access is secured, Qilin affiliates map the victim’s network in detail. They extract credentials and tokens using Mimikatz, BypassCredGuard, and similar tools, then pivot laterally across RDP/SSH connections.

Legitimate Remote Monitoring and Management (RMM) utilities — such as AnyDesk, ScreenConnect, Chrome Remote Desktop, GoToDesk, and Splashtop — are deployed or abused to blend into normal administrative activity.

This stage reflects Qilin’s operational maturity: using real IT tools for illicit control, evading both antivirus and EDR systems.

• Persistence: through RMM software and COROXY/SOCKS DLLs.

• Data gathered: domain admin credentials, backup credentials, remote management tokens, and configuration files.

• Privilege escalation: enabled via stolen credentials and Windows privilege manipulation.

Phase 3 — System Compromise & Payload Deployment 

With full domain visibility, affiliates turn to disabling security mechanisms. Through PowerShell commands, they bypass AMSI, disable TLS validation, and terminate AV processes using utilities like dark-kill and HRSword.

The BYOVD (Bring Your Own Vulnerable Driver) exploit then comes into play: by loading the vulnerable driver eskle.sys, attackers can disable kernel-level protections and run privileged operations unimpeded.

Finally, they transfer the Linux ransomware binary into the Windows environment via WinSCP or Cyberduck, executing it with Splashtop’s SRManager.exe. This cross-platform technique allows them to encrypt Windows and Linux systems simultaneously — an evolution of Qilin’s capability that expands beyond traditional VMware-focused attacks.

• Malware infrastructure: Cobalt Strike and SystemBC beacons for command-and-control.

• Data stolen: domain and backup credentials, sensitive configuration files, repository data, and RMM access tokens.

• Final act: encryption of files across both operating systems and deletion of Windows Volume Shadow Copies (VSS) to prevent recovery.

Phase 4 — Impact & Monetization 

By the time the ransom note appears, the victim organization has already lost more than just files — they’ve lost control of their hybrid infrastructure.

Backups hosted in Veeam or Nutanix AHV environments are compromised early, rendering recovery difficult or impossible. Manufacturing lines stop, services freeze, and enterprise operations grind to a halt.

Qilin’s leak site publishes stolen data to pressure victims into payment, showcasing exfiltrated credentials and internal documents. For affiliates, it’s business as usual: maximum disruption, minimum traceability.

Phase 5 — Defensive Countermeasures 

The sophistication of Qilin’s hybrid operation underscores a critical truth: cross-platform resilience is now mandatory.

To fend off similar ransomware intrusions, defenders should act across multiple layers of identity, access, and monitoring:

• Enforce MFA and least privilege on all admin and remote access accounts.

• Rotate and revoke leaked or reused credentials from VPNs and RDP endpoints.

• Segment and isolate backup environments like Veeam or Nutanix AHV — test offline restores regularly.

• Harden RMM usage: allowlist approved tools, monitor new installs or abnormal sessions.

• Hunt for BYOVD behavior: driver loads (like eskle.sys) and PowerShell AMSI/TLS tampering.

• Sandbox phishing and ClickFix lures to block credential-stealing entry points.

• Tune EDR/NDR for cross-platform anomalies and detect Linux binaries running on Windows hosts.

The Qilin campaign represents the next evolutionary step in ransomware operations: Linux binaries weaponized for Windows, combined with BYOVD exploits and legitimate admin tools to achieve stealth and persistence.

For defenders, it’s a reminder that attackers no longer respect operating system boundaries.

Security postures must shift accordingly — from endpoint-centric to identity-centric, from single-platform visibility to cross-domain detection.

Qilin’s message to enterprises is clear: if your infrastructure talks to both worlds, both are fair game.

The Hacker News

https://thehackernews.com/2025/10/qilin-ransomware-combines-linux-payload.html?m=1