Cybersecurity researchers have identified a sophisticated ransomware campaign orchestrated by the Agenda group, wherein Linux-based ransomware binaries are being deployed directly onto Windows systems. This innovative approach specifically targets VMware virtualization infrastructures and backup environments, challenging conventional security measures that predominantly focus on Windows-native threats.
Innovative Attack Techniques
The Agenda group’s campaign employs a novel method that combines legitimate remote management tools with advanced evasion tactics. By utilizing WinSCP for secure file transfers and Splashtop Remote for executing Linux ransomware payloads on Windows machines, the attackers create an unconventional attack vector that circumvents traditional security controls. This cross-platform execution technique complicates detection for security solutions not configured to monitor such activities.
Initial Access via Social Engineering
The attackers gain initial access through sophisticated social engineering schemes, including fake CAPTCHA pages hosted on Cloudflare R2 infrastructure. These convincing replicas of Google CAPTCHA verification prompts deliver information-stealing malware to compromised endpoints, systematically harvesting authentication tokens, browser cookies, and stored credentials. The stolen credentials provide the threat actors with valid accounts, enabling them to bypass multifactor authentication and move laterally within the network using legitimate user sessions.
Advanced Evasion and Lateral Movement
Trend Micro researchers have identified that the attack chain demonstrates advanced techniques, including the Bring Your Own Vulnerable Driver (BYOVD) method for defense evasion and the deployment of multiple SOCKS proxy instances across various system directories to obfuscate command-and-control traffic. The attackers abuse legitimate tools by installing AnyDesk through ATERA Networks’ remote monitoring and management platform and ScreenConnect for command execution, while utilizing Splashtop for final ransomware execution.
Targeting Backup Infrastructure
The Agenda group specifically targets Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting credentials from multiple backup databases to compromise disaster recovery capabilities before deploying the ransomware payload.
Global Impact and Targeted Sectors
Since January 2025, Agenda has affected more than 700 victims across 62 countries, primarily targeting organizations in developed markets, including the United States, France, Canada, and the United Kingdom. The ransomware-as-a-service operation systematically targets high-value sectors, particularly manufacturing, technology, financial services, and healthcare industries characterized by operational sensitivity, data criticality, and a higher likelihood of ransom payment.
Cross-Platform Ransomware Execution Mechanism
The final ransomware deployment showcases unprecedented cross-platform execution capabilities. The threat actors utilize WinSCP to securely transfer the Linux ransomware binary to Windows systems, placing the payload on the desktop with a .filepart extension before finalizing the transfer. The execution method employs Splashtop Remote’s management service (SRManager.exe) to directly run the Linux ransomware binary on Windows platforms.
Analysis of the Linux Ransomware Binary
Analysis of the Linux ransomware binary reveals extensive configuration capabilities and platform-specific targeting. The payload implements comprehensive command-line parameters, including debug mode, logging levels, path specifications, whitelist configurations, and encryption control parameters. Execution requires password authentication and displays verbose configuration output, including whitelisted processes, file extension blacklists, and path exclusions.
Targeting VMware ESXi and Hyperconverged Infrastructure
The configuration demonstrates extensive targeting of VMware ESXi paths such as /vmfs/, /dev/, and /lib64/, while excluding critical system directories, showcasing hypervisor-focused deployment strategies. Earlier variants implemented operating system detection for FreeBSD, VMkernel (ESXi), and standard Linux distributions, enabling platform-specific encryption behavior. Updated samples incorporate Nutanix AHV detection, expanding targeting to include hyperconverged infrastructure platforms and demonstrating the threat actors’ adaptation to modern enterprise virtualization environments beyond traditional VMware deployments.
Implications for Security Measures
This unconventional execution approach bypasses traditional Windows-focused security controls, as most endpoint detection systems are not configured to monitor or prevent Linux binaries being executed through legitimate remote management tools on Windows platforms. Organizations must adapt their security postures to address these evolving threats by implementing cross-platform monitoring and enhancing their detection capabilities to identify and mitigate such sophisticated attack vectors.
