Qilin Ransomware Uses Linux Payloads to Attack Windows Systems

Qilin Ransomware Uses Linux Payloads to Attack Windows Systems

Security researchers have uncovered a cross-platform ransomware campaign where the Qilin group (aka Agenda) deployed Linux-based binaries on Windows hosts, successfully bypassing endpoint defenses and compromising enterprise backup systems.

🧩 Attack Overview

Trend Micro reports that Qilin used legitimate remote access tools — including AnyDesk, ATERA RMM, and ScreenConnect — to move laterally and execute their Linux ransomware payload on Windows machines.

“The technique enables low-noise operations that disable recovery options, steal backup credentials, and neutralize endpoint defenses via BYOVD [Bring Your Own Vulnerable Driver] attacks,” said Trend Micro.

Qilin combined WinSCP for file transfer with Splashtop Remote for payload execution, exploiting both Windows and Linux components in hybrid networks.

🔐 Targeted Assets

Attackers focused on Veeam backup infrastructure, harvesting credentials from multiple backup databases to cripple disaster recovery capabilities before ransomware deployment.

The payload delivered a ransom note featuring unique credentials for accessing the group’s negotiation portal — a hallmark of Qilin’s Ransomware-as-a-Service (RaaS) operation.

🕵️ Social Engineering and Initial Access

The campaign started with a sophisticated phishing attack using fake CAPTCHA pages hosted on Cloudflare R2, mimicking Google’s verification screens.
These pages dropped infostealers that harvested credentials, tokens, and browser cookies, allowing Qilin to:

• Bypass multifactor authentication (MFA)
• Move laterally using valid user sessions
• Execute payloads under legitimate user contexts

🌍 Global Impact

According to Trend Micro and Cisco Talos:

• Qilin has impacted 700+ organizations across 62 countries since January.
• The U.S., France, Canada, the U.K., and Germany are among the most affected.
• Victims span manufacturing, financial services, healthcare, and tech sectors.
• Attack rate: ~40+ cases per month, peaking at 100 in June and August 2025.

Qilin is part of a ransomware cartel with LockBit and DragonForce, sharing infrastructure and intelligence to expand their reach.

🧰 Recommended Security Measures

To defend against cross-platform ransomware like Qilin:

• 🔒 Restrict remote access tools (AnyDesk, ATERA, Splashtop, etc.) to authorized hosts only.
• 🧠 Integrate Linux and Windows telemetry into EDR/SOC monitoring.
• 🧱 Harden backup infrastructure and monitor for unauthorized credential access.
• 🧾 Apply phishing-resistant MFA and track unusual token or session reuse.
• 🚫 Detect BYOVD exploitation through kernel driver integrity monitoring.

🛡️ Alcaeus Services Insight

As ransomware groups embrace cross-platform payloads, traditional Windows-only defenses are no longer enough.
At Alcaeus Services, we help organizations:

• Deploy multi-platform EDR visibility (Windows + Linux)
• Strengthen identity-based controls and access policies
• Build resilient backup strategies that resist credential-based compromise