Qilin Ransomware Targets Windows with Linux-Based Payload

Cybersecurity researchers have discovered that the Qilin ransomware group has created a Linux-based variant capable of infecting Windows systems. This cross-platform capability enables attackers to evade traditional Windows-focused security tools and poses a new level of threat to enterprise networks.

According to new research from Trend Micro, the Agenda ransomware group (also known as Qilin) is a cybercriminal organization that operates a ransomware-as-a-service (RaaS) model. This group abused legitimate remote management tools and file transfer utilities (such as WinSCP (file transfer), Splashtop Remote (execution), AnyDesk, ScreenConnect, and ATERA remote monitoring and management (RMM) platform) to deploy the Linux-based ransomware binary on Windows machines.

How does the Linux payload infect Windows systems?

The Qilin ransomware group uses a multi-layered attack strategy that combines social engineering, credential theft, and advanced evasion techniques. Their campaigns often begin with deceptive CAPTCHA pages that trick users into downloading information stealers, which harvest credentials from backup systems like Veeam. These credentials are then used to escalate privileges, create fake administrator accounts, and reset legitimate ones to gain deeper access.

To deploy the ransomware, Qilin leverages legitimate remote management tools that allow it to transfer and execute a Linux-based payload on Windows systems. They further evade detection by using vulnerable drivers (BYOVD), DLL sideloading, and deploying SOCKS proxies to mask command-and-control traffic. This cross-platform capability and stealthy execution make these attacks particularly challenging to detect and mitigate for organizations.

“They specifically targeted Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting credentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before deploying the ransomware payload,” Trend Micro researchers explained. “The technique enables low-noise operations that can disable recovery options through the targeted theft of backup credentials and neutralize endpoint defenses via BYOVD [bring your own vulnerable driver] attack.”

Qilin’s Linux payload expands across multiple platforms and industries

The cybercriminals then executed the Linux-based ransomware on Windows systems using Splashtop’s SRManager.exe. This payload supports various operating environments such as Windows, Linux, VMware ESXi, and Nutanix AHV. It comes with features such as password protection, automated execution, and ransom notes with credentials for negotiation and threats to leak stolen data.

Since January 2025, Qilin has affected 591 victims across 58 countries, including the United States, Canada, and the United Kingdom. This group targets multiple industries, including manufacturing, technology, financial services, and healthcare.

Security recommendations to mitigate Qilin ransomware risks

To defend against Qilin ransomware attacks, organizations should tightly control the use of remote access and management tools to ensure that only authorized systems and users can interact with them. Moreover, IT admins must monitor backup infrastructure for unusual activity, as these systems are often targeted to extract credentials and disable recovery options. Organizations must also implement robust endpoint protection to detect techniques like vulnerable driver exploitation and lateral movement.

Additionally, organizations should address the limitations of Windows-centric security tools, which may fail to detect Linux-based ransomware binaries executed through remote management software. Security teams are also advised to adapt detection logic to monitor behavioral anomalies across platforms to strengthen overall threat detection capabilities.