Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Qilin Ransomware that Target VMware and Windows Networks using Linux RATs.

Published on: October 28, 2025

Share:
Qilin Ransomware that Target VMware and Windows Networks using Linux RATs.

Overview

The Agenda (Qilin) ransomware group has evolved its attack methodology by deploying Linux ransomware variants directly on Windows systems, challenging traditional endpoint detection controls.

According to Trend™ Research, the group abused legitimate IT administration tools—Splashtop Remote, WinSCP, Atera Networks, ScreenConnect, and AnyDesk—to transfer and execute Linux payloads inside hybrid Windows-Linux environments. This tactic effectively bypasses conventional Windows-centric endpoint detection and response (EDR) controls.

Agenda’s campaign demonstrates an evolution toward multi-platform, tool-assisted ransomware delivery, targeting VMware infrastructure and Veeam backup systems through a combination of Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques, credential theft, and cross-compiled ransomware binaries.

Who It Impacts

  • Enterprises operating VMware vCenter, ESXi, or Workstation platforms.
  • Organizations using Windows hosts running Linux VMs or WSL (Windows Subsystem for Linux).
  • Businesses utilizing remote monitoring and management (RMM) tools like Splashtop, AnyDesk, ScreenConnect, or Atera.
  • Companies with Veeam backup infrastructure or centralized credential storage systems.
  • High-value industries including manufacturing, technology, financial services, and healthcare.

How It Impacts

The attack chain begins with fake CAPTCHA pages hosted on Cloudflare R2, which deliver information-stealing malware to collect credentials and authentication tokens.
Using these stolen credentials, attackers infiltrate enterprise networks and install multiple RMM tools (e.g., AnyDesk, ScreenConnect) to establish redundant access channels disguised as legitimate administrative activity.

Next, WinSCP is used for secure file transfer to move Linux ransomware binaries onto Windows hosts. The attackers then leverage Splashtop to execute the payloads directly on Windows systems — a technique that circumvents endpoint detection systems primarily tuned for Windows executables.

Inside the environment, threat actors:

  • Execute PowerShell scripts (Base64-encoded) to extract and decrypt credentials from Veeam backup databases.
  • Target Veeam systems to disable recovery options before encryption.
  • Query database tables such as Credentials, BackupRepositories, and WinServers to collect domain administrator and service account credentials.
  • Deploy BYOVD components (e.g., eskle.sys, msimg32.dll, rwdrv.sys, hlpdrv.sys) to disable endpoint protection and perform DLL sideloading attacks.

The attackers also establish SOCKS proxy tunnels hidden within directories of legitimate software (Veeam, VMware, Adobe), camouflaging C2 traffic within normal enterprise communications.

This campaign’s defining traits include credential theft, backup sabotage, driver exploitation, and hybrid payload execution, ensuring both encryption success and prevention of recovery.

Targeted Products

  • VMware vCenter Server
  • VMware ESXi Hypervisors
  • VMware Workstation / Fusion
  • Windows systems hosting Linux binaries or WSL
  • Veeam Backup & Replication systems
  • Splashtop, AnyDesk, ScreenConnect, Atera RMM tools

Recommendations

  1. Patch & Update
    • Apply the latest VMware, Veeam, and Windows security patches.
    • Remove or update vulnerable drivers (e.g., eskle.sys, rwdrv.sys, hlpdrv.sys).
  2. Access Control & Monitoring
    • Restrict and monitor RMM tools (AnyDesk, Splashtop, ScreenConnect) to authorized administrative hosts.
    • Enforce multi-factor authentication (MFA) for all privileged accounts.
    • Audit and limit PowerShell and remote execution privileges.
  3. Credential & Backup Protection
    • Segment backup systems from production networks.
    • Restrict database and credential access using least privilege principles.
    • Encrypt and rotate stored Veeam credentials.
  4. Network Security
    • Deploy IDS/IPS signatures to detect Linux ELF payloads in Windows environments.
    • Inspect outbound traffic for C2 channels masquerading as legitimate RMM communications.
  5. Incident Preparedness
    • Verify immutable offline backups and recovery workflows.
    • Conduct tabletop exercises for hybrid environment ransomware response.

Indicators of Compromise (IOCs)

  • Linux payload: mmh_linux_x86-64 (executed on Windows hosts)
  • BYOVD tools: 2stX.exe, Or2.exe
  • Malicious drivers: eskle.sys, rwdrv.sys, hlpdrv.sys
  • Malicious DLL loader: msimg32.dll
  • Renamed SSH Client: PuTTY (deployed as test.exe, 1.exe, 2.exe, etc., used for lateral movement to Linux hosts via SSH).

References

https://www.linkedin.com/pulse/linux-rats-windows-ransomware-actors-target-vmware-h0ddc?utm_source=…

https://gbhackers.com/linux-rats-on-windows/

https://cyberpress.org/agenda-ransomware/


 

← Back to all bulletins