Qilin Targets Windows Hosts with Linux-Based Ransomware TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsMicrosoft Issues Emergency Patch for Critical Windows Server BugMicrosoft Issues Emergency Patch for Critical Windows Server BugbyRob WrightOct 24, 20252 Min ReadVulnerabilities & ThreatsFear the 'SessionReaper': Adobe Commerce Flaw Under AttackFear the 'SessionReaper': Adobe Commerce Flaw Under AttackbyRob WrightOct 23, 20252 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyberattacks & Data BreachesThreat IntelligenceVulnerabilities & ThreatsEndpoint SecurityNewsQilin Targets Windows Hosts With Linux-Based RansomwareQilin Targets Windows Hosts With Linux-Based RansomwareQilin Targets Windows Hosts With Linux-Based RansomwareThe attack by the one of the most impactful RaaS groups active today demonstrates an evasion strategy that can stump defenses not equipped to detect cross-platform threats.Elizabeth Montalbano, Contributing WriterOctober 27, 20254 Min ReadSource: Olekcil Mach via Alamy Stock PhotoThe Quilin ransomware group has attacked Windows hosts using a Linux-based binary in a cross-platform attack that can evade Windows-centric detections and security solutions, including conventional endpoint detection and response (EDR) platforms.Trend Micro identified the unique attack from the group, which Trend Micro tracks as "Agenda" and considers it as one of the most impactful ransomware groups currently active. In the attack, Qilin deployed the Linux-based ransomware binary on Windows hosts by abusing legitimate remote management and file transfer tools — specifically, AnyDesk, ATERA Networks’ remote monitoring and management (RMM) platform, and ScreenConnect.The group "utilized a novel deployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines," Trend Micro researchers wrote in a blog post published Friday.Moreover, attackers specifically targeted Veeam backup infrastructure with specialized tools to "systematically [harvest] credentials from multiple backup databases to compromise the organization's disaster recovery capabilities before deploying the ransomware payload," the researchers wrote."The technique enables low-noise operations that can disable recovery options through the targeted theft of backup credentials and neutralize endpoint defenses via BYOVD [bring your own vulnerable driver] attack," they wrote in the post.Related:US Crypto Bust Offers Hope in Battle Against Cybercrime SyndicatesThe attack also challenged traditional Windows-focused security controls by deploying a Linux-based ransomware in a Windows environment in a way that "demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels," the researchers noted.Attack AnalysisQilin used valid credentials throughout the attack chain, which also showed evidence of multiple endpoints connecting to malicious fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure. "These pages presented convincing replicas of legitimate Google CAPTCHA verification prompts," the researchers noted.Based on this analysis, Trend Micro surmised that the initial point of entry came through "a sophisticated social engineering scheme" that used fake CAPTCHA pages and delivered an infostealer to harvest authentication tokens, browser cookies, and stored credentials from the infected systems."This assessment is further supported by the attackers' ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques," the researchers wrote.Related:Lazarus Group Hunts European Drone Manufacturing DataThe ransomware payload, deliver via Splashtop Remote, included a ransom note typically used by Qilin that threatened data publication and provided victim-specific credentials for negotiation. The note included file extension, and domain/login/password fields for accessing the threat actors’ communication portal, they said.Qilin's Meteoric RiseQilin is a Russian-speaking threat group that emerged around July 2022 and rose to prominence as one of the top ransomware groups in 2025. The group uses a double extortion method and a ransomware-as-a-service (RaaS) model, according to a report published over the weekend by Cisco Talos, who also tracks the group. The group has affected more than 700 organizations across 62 countries since January, with most of its victims in the US, France, Canada, and the UK, according to Trend Micro. Organizations in manufacturing, technology, financial services, and healthcare sectors were the impacted the most.The group also shows a "lack of ethical constraints and prioritization of financial gain over potential societal impact" in its willingness to target critical infrastructure, including healthcare facilities and public sector entities," Trend Micro researchers wrote.Related:MuddyWater Targets 100+ Gov Entities in MEA With Phoenix BackdoorCisco Talos noted Qilin's brisk attack pace, publishing information on its leak site at a rate of more than 40 cases per month. The researchers also cited professional and scientific services organizations and those in the wholesale trade business as the second and third most affected sectors, respectively. Cisco Talos' report also added Germany to the list of countries most targeted by Qilin."The data shows that the number of postings reached a peak of 100 cases in June 2025, with a nearly equivalent figure recorded again in August," Cisco Talos' researchers wrote in the report. "Although the number of victims fluctuates from month to month, it is noteworthy that, except for January, every month recorded more than 40 cases. These findings indicate that Qilin continues to pose a persistent and significant threat."If Qilin alone isn't a formidable enough adversary, the group empowered itself even further this year by joining forces with LockBit and DragonForce in a ransomware "cartel" that's agreed to share resources and attack info.Suggested Security MeasuresGiven Qilin's significant threat potential, both Trend Micro and Cisco Talos urge defenders to take precautions to prevent intrusion by the group. Those at risk include "any environment that uses remote access platforms, centralized backup solutions, or hybrid Windows/Linux infrastructures," according to Trend Micro, which encouraged enterprises to restrict such tools to authorized hosts and to monitor for suspicious activity. Other best practices suggested by Trend Micro include securing remote access and RMM tools, hardening backup infrastructure and accounting for the detection of BYOVD and cross-platform threats.Defenders also should extend visibility across hybrid environments by ensuring that the organization’s EDR and SOC playbooks include both Windows and Linux telemetry. Trend Micro urged organizations to protect credentials and access tokens by applying "phishing-resistant MFA," strengthening access policies, and monitoring for abnormal use of privileged accounts or tokens.About the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsEffectively Incorporating API Security into the Overall Security WorkflowCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTEffectively Incorporating API Security into the Overall Security WorkflowWed, Nov. 19, 2025 at 11am ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Qilin, a Russian‑speaking ransomware‑as‑a‑service syndicate that first surfaced in mid‑2022, has escalated its impact in 2025 by deploying a Linux‑based ransomware binary against Windows hosts—an approach that bypasses many traditional Windows‑centric detection systems. The attack, traced by Trend Micro and reported in a dedicated blog post, involved a cross‑platform strategy that exploited legitimate remote‑management and file‑transfer tools, specifically AnyDesk, ATERA Networks’ RMM platform, and ScreenConnect. Trend Micro’s analysis notes that the attackers used WinSCP for secure file transfer combined with Splashtop Remote to execute the Linux binary within a Windows environment, a method that allows the payload to evade endpoint detection and response solutions not configured to flag Linux executables on Windows machines.

The operation targeted Veeam backup infrastructure, employing specialized tools to harvest credentials from multiple backup databases systematically. This pre‑payload activity aimed to compromise disaster recovery capabilities, undermining the victim’s ability to restore data after the ransomware infection. By harvesting backup credentials and deploying a “bring‑your‑own‑vulnerable‑driver” (BYOVD) attack, the actors effectively neutralized endpoint defenses while ensuring a low‑noise operation that minimized detection risk.

Initial access appeared to be gained through a sophisticated social‑engineering layer involving fake CAPTCHA pages hosted on Cloudflare R2 storage. These pages mimicked legitimate Google CAPTCHA prompts and delivered an infostealer capable of harvesting authentication tokens, browser cookies, and stored credentials from infected systems. The presence of these phishing pages and the subsequent ability to bypass multi‑factor authentication (MFA) and move laterally using legitimate user sessions indicate that the group carried stolen credentials rather than relying on zero‑day exploits.

Once inside, the attackers delivered the Linux ransomware payload via Splashtop Remote, accompanied by a ransom note characteristic of Qilin. The note contains a threat of public data publication and provides victim‑specific credentials for negotiation, including the file extension, domain, login, and password required to access the threat actors’ communication portal. This double‑extortion approach—encryption of data combined with the threat of exfiltration—has become a hallmark of Qilin’s operations.

Trend Micro’s report also highlights Qilin’s operational scale. According to Cisco Talos, the group has attacked over 700 organizations across 62 countries since January, with the majority of victims in the United States, France, Canada, and the United Kingdom. Industries most affected include manufacturing, technology, financial services, and healthcare. The group’s expansion is further amplified by its announced collaboration with LockBit and DragonForce in a ransomware cartel that shares resources and attack information, enhancing its reach and resilience.

The group’s persistence is underscored by the frequency of their attacks: over 40 incident posts per month on their leak site, with peaks reaching 100 cases in June and August 2025. The data suggests that Qilin continues to operate with significant momentum, posing a persistent threat to sectors such as professional and scientific services, wholesale trade, and even critical infrastructure. Its willingness to target healthcare facilities and public sector entities signals a chilling disregard for societal impact in pursuit of financial gain.

Security implications are manifold. Environments that rely on remote‑access platforms, centralized backup solutions, or hybrid Windows/Linux infrastructures are highlighted as high‑risk contexts. Trend Micro recommends restricting the use of remote‑access and RMM tools to authorized hosts and monitoring for anomalous activity. Hardening backup infrastructures—including detecting and preventing BYOVD attacks—becomes essential. Extending visibility across hybrid environments, ensuring that endpoint detection and response (EDR) systems incorporate both Windows and Linux telemetry, is vital to flag cross‑platform threats. Credential protection through phishing‑resistant MFA, strengthening access policies, and monitoring for abnormal privileged account use are additional security controls suggested.

The article’s author, Elizabeth Montalbano, a freelance journalist with more than two decades of experience, brings a clear, investigative voice to the technical exposition. Her coverage emphasizes the convergence of social engineering, credential harvesting, and cross‑platform tactics as the core of Qilin’s threat model. The piece serves as a reminder that attackers are continually adapting, employing legitimate commercial tools to carry out malicious operations that transcend operating‑system boundaries.