The Qilin ransomware group, also known as Agenda, Gold Feather, and Water Galura, has significantly escalated its cyberattack strategies in 2025. By integrating Linux-based ransomware payloads with the Bring Your Own Vulnerable Driver (BYOVD) technique, Qilin has effectively targeted both Windows and Linux environments, circumventing traditional security measures and causing widespread operational disruptions.
Overview of Qilin’s Operations
Since its emergence in July 2022, Qilin has evolved into a formidable ransomware-as-a-service (RaaS) operation. The group recruits affiliates to execute attacks using a shared toolkit, enabling a broad reach across various sectors. In 2025, Qilin’s activities have intensified, with the group claiming over 40 victims monthly and peaking at 100 cases in June. Their targets span critical infrastructure, manufacturing, technology, financial services, and healthcare sectors, underscoring the group’s opportunistic yet strategic approach.
Technical Breakdown of Qilin’s Attack Chain
1. Initial Access and Reconnaissance
Qilin affiliates often gain initial access through compromised VPN credentials, phishing campaigns, or exploiting exposed remote access tools. Once inside, they conduct thorough reconnaissance using tools like Mimikatz and SharpDecryptPwd to harvest credentials, facilitating lateral movement and access to privileged accounts.
2. Deployment of Remote Monitoring and Management (RMM) Tools
Leveraging legitimate RMM tools such as AnyDesk, ScreenConnect, and MeshCentral, the attackers establish persistent access and execute commands remotely. This tactic allows them to blend malicious activities with normal administrative operations, reducing the likelihood of detection.
3. BYOVD Technique for Defense Evasion
A critical innovation in Qilin’s methodology is the use of the BYOVD technique. Attackers deploy vulnerable, legitimately signed drivers like eskle.sys, rwdrv.sys, and hlpdrv.sys to disable endpoint detection and response (EDR) and antivirus solutions at the kernel level. These drivers are loaded using custom loaders and are sometimes introduced via DLL sideloading, exploiting trusted applications by placing malicious DLLs in application directories.
4. Command and Control (C2) Infrastructure
Qilin utilizes the COROXY SOCKS proxy, deploying malicious DLLs into trusted directories associated with enterprise software. This approach obfuscates outbound C2 traffic, maintaining stealthy communications with their infrastructure and ensuring persistent access.
5. Payload Delivery and Execution
The Linux ransomware binary is transferred to Windows hosts using tools like WinSCP and executed via remote management tools such as Splashtop Remote’s SRManager.exe. This method bypasses Windows-centric security controls. The Linux payload is highly configurable, supporting command-line options for debugging, logging, whitelisting, and encryption control. It is password-protected to prevent unauthorized execution and targets both Windows and Linux systems, including VMware ESXi and Nutanix AHV hypervisors. The ransomware avoids encrypting critical system directories to maintain system stability and maximize ransom leverage.
6. Anti-Analysis and Evasion Techniques
Qilin embeds anti-analysis features throughout the attack chain, including virtual machine detection, process termination routines, and anti-debugging mechanisms. These measures complicate forensic analysis and hinder incident response efforts.
7. Data Exfiltration and Double Extortion
Before encryption, Qilin exfiltrates sensitive data, threatening to release it publicly if the ransom is not paid—a tactic known as double extortion. This approach increases pressure on victims to comply with ransom demands.
Exploitation in the Wild
Qilin’s hybrid attack campaigns have been observed in the wild since early 2025, with a marked increase in activity during the second and third quarters. The group has claimed responsibility for over 700 victims globally, with a peak of 100 cases in June 2025. The attacks are notable for their focus on critical infrastructure, manufacturing, technology, financial services, and healthcare sectors. Qilin’s ability to target both Windows and Linux environments, including virtualized infrastructure, has enabled it to disrupt operations at scale and demand higher ransom payments.
The exploitation of backup systems, particularly Veeam, is a recurring theme, as it allows the attackers to inhibit system recovery and increase the pressure on victims to pay. The use of BYOVD to disable EDR/AV solutions has been confirmed in multiple incidents, with forensic analysis revealing the presence of vulnerable drivers and associated loader binaries. The deployment of COROXY SOCKS proxies has also been documented, with malicious DLLs found in directories associated with trusted enterprise software.
Victimology and Targeting
Qilin’s targeting is opportunistic but shows a clear preference for organizations with hybrid Windows/Linux environments, extensive use of RMM tools, and reliance on virtualized infrastructure. This strategic selection allows the group to maximize the impact of their attacks and increase the likelihood of ransom payment.
Mitigation Strategies
To defend against Qilin’s sophisticated attack methods, organizations should implement the following strategies:
– Multi-Factor Authentication (MFA): Enforce MFA across all accounts to reduce the risk of unauthorized access through compromised credentials.
– Regular Software Updates: Keep all systems and software up to date to mitigate vulnerabilities that could be exploited by attackers.
– Monitor RMM Tools: Closely monitor the use of RMM tools within the network to detect and prevent their misuse by malicious actors.
– Behavioral Analysis: Implement behavioral analysis tools to detect anomalies indicative of malicious activity, such as unusual use of administrative tools or unexpected network traffic patterns.
– Backup and Recovery Plans: Maintain regular, secure backups of critical data and develop comprehensive recovery plans to ensure business continuity in the event of an attack.
Conclusion
Qilin’s innovative combination of Linux payloads and BYOVD exploits represents a significant evolution in ransomware tactics, challenging traditional security measures. By understanding and anticipating these hybrid attack methods, organizations can enhance their defensive postures and mitigate the risks posed by such sophisticated threats.
