Qilin Ransomware Combines Linux Payload With Byovd Exploit In ...

The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June.

The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for 84 victims each in the months of August and September 2025. The Russian-speaking threat group emerged around July 2022.

According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors.

Attacks mounted by Qilin affiliates have likely leveraged leaked administrative credentials on the dark web for initial access using a VPN interface, followed by performing RDP connections to the domain controller and the successfully breached endpoint.

In the next phase, the attackers conducted system reconnaissance and network discovery actions to map the infrastructure, and executed tools like Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to facilitate credential harvesting from various applications and exfiltrate the data to an external SMTP server using a Visual Basic Script.

"Commands executed via Mimikatz targeted a range of sensitive data and system functions, including clearing Windows event logs, enabling SeDebugPrivilege, extracting saved passwords from Chrome's SQLite database, recovering credentials from previous logons, and harvesting credentials and configuration data related to RDP, SSH, and Citrix," Talos said.

Further analysis has uncovered the threat actor's use of mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information, as well as a legitimate tool called Cyberduck to transfer files of interest to a remote server, while obscuring the malicious activity.

The stolen credentials have been found to enable privilege escalation and lateral movement, with the actors abusing the elevated access to install multiple Remote Monitoring and Management (RMM) tools like AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. Talos said it could not definitively conclude if the programs were used for lateral movement.

To sidestep detection, the attack chain involves the

Source: The Hacker News