Security Affairs reports that Trend Micro researchers uncovered a sophisticated Qilin ransomware campaign that weaponized Linux binaries on Windows systems to evade endpoint detection and response tools and disable security defenses.
The group, also known as Agenda, leveraged legitimate remote management platforms such as WinSCP, Splashtop Remote, AnyDesk, and ATERA RMM to deliver Linux-based ransomware through "bring your own vulnerable driver" exploits.
Attackers gained entry via fake Google CAPTCHA pages hosting malicious scripts, enabling credential theft, network reconnaissance, and lateral movement using valid sessions. They targeted Veeam backup servers to extract administrative credentials and executed signed drivers and DLL sideloading to terminate security tools.
Trend Micro noted the campaigns cross-platform design allows attackers to encrypt both Windows and Linux systems, reflecting the group's growing sophistication. Active since 2022, Qilin now ranks among the most prolific ransomware-as-a-service operators, claiming up to 100 victims a month by mid-2025.
The group, also known as Agenda, leveraged legitimate remote management platforms such as WinSCP, Splashtop Remote, AnyDesk, and ATERA RMM to deliver Linux-based ransomware through "bring your own vulnerable driver" exploits.
Attackers gained entry via fake Google CAPTCHA pages hosting malicious scripts, enabling credential theft, network reconnaissance, and lateral movement using valid sessions. They targeted Veeam backup servers to extract administrative credentials and executed signed drivers and DLL sideloading to terminate security tools.
Trend Micro noted the campaigns cross-platform design allows attackers to encrypt both Windows and Linux systems, reflecting the group's growing sophistication. Active since 2022, Qilin now ranks among the most prolific ransomware-as-a-service operators, claiming up to 100 victims a month by mid-2025.




