The ransomware group known as Qilin (also known as Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the beginning of 2025, with the exception of January, and the number of posts on the data breach site reached a high of 100 in June.
The development comes as ransomware-as-a-service (RaaS) operations have emerged as one of the most active ransomware groups, with 84 victims each in August and September 2025. Qilin is known to have been active since around July 2022.
According to data compiled by Cisco Talos, some of the countries most affected by Qilin are the United States, Canada, the United Kingdom, France, and Germany. Attacks primarily targeted the manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors.
Attacks launched by Qilin affiliates may have leveraged administrator credentials leaked on the dark web to perform initial access using a VPN interface, followed by RDP connections to domain controllers and successfully compromised endpoints.
In the next phase, the attackers performed system reconnaissance and network discovery actions to map the infrastructure, ran tools such as Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to facilitate collection of credentials from various applications, and used Visual Basic scripts to exfiltrate data to an external SMTP server.
“Commands executed via Mimikatz targeted a variety of sensitive data and system functions, including clearing the Windows event log, enabling SeDebugPrivilege, extracting saved passwords from Chrome’s SQLite database, recovering credentials from previous logons, and collecting credentials and configuration data related to RDP, SSH, and Citrix,” Talos said.
Further analysis revealed that the attackers used mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information, and a legitimate tool called Cyberduck to transfer the targeted files to a remote server while hiding their malicious activity.
The stolen credentials have been found to enable privilege escalation and lateral movement, and exploit elevated access to install multiple remote monitoring and management (RMM) tools, including AnyDesk, Chrome Remote Desktop, Remote Desktop, GoToDesk, QuickAssist, and ScreenConnect. Talos said it cannot conclusively conclude whether the program was used for lateral movement.
To evade detection, the attack chain includes running PowerShell commands to disable AMSI, turn off TLS certificate validation, and enable limited administration, in addition to running tools such as dark-kill and HRSword to terminate security software. Cobalt Strike and SystemBC are also deployed on the host for persistent remote access.
The infection culminates in the launch of Qilin ransomware. Qilin ransomware encrypts files and drops a ransom note in each encrypted folder, but before doing so it clears event logs and deletes all shadow copies maintained by Windows Volume Shadow Copy Service (VSS).
This finding is consistent with the discovery of sophisticated Qilin attacks that deploy Linux ransomware variants on Windows systems and use a combination of bring-your-own-vulnerable-driver (BYOVD) techniques and legitimate IT tools to bypass security barriers.
“The attackers exploited legitimate tools, specifically installing AnyDesk and executing commands through Atera Networks’ remote monitoring and management (RMM) platform and ScreenConnect. They exploited Splashtop for the final ransomware execution,” Trend Micro said.
“They specifically targeted Veeam backup infrastructure using a specialized credential extraction tool, systematically harvesting credentials from multiple backup databases and compromising the organization’s disaster recovery capabilities before deploying the ransomware payload.”
In addition to using valid accounts to infiltrate target networks, some attacks use spear phishing or fake ClickFix-style CAPTCHA pages hosted on Cloudflare R2 infrastructure to trigger execution of malicious payloads. These pages have been assessed to provide a means to steal the information needed to collect the credentials used to gain initial access.
Some of the key steps an attacker takes are:
Deploy a SOCKS proxy DLL to facilitate remote access and command execution Abuse ScreenConnect’s remote management capabilities to execute discovery commands and run network scanning tools to identify potential lateral movement targets Target Veeam backup infrastructure to harvest credentials Use the ‘eskle.sys’ driver as part of a BYOVD attack to disable security solutions, terminate processes, and evade detection Deploy PuTTY on Linux SSH clients to facilitate lateral movement into systems Use SOCKS proxy instances between various system directories and obfuscate command and control (C2) traffic with COROXY backdoors Use WinSCP to transfer Linux ransomware binaries to Windows Securely transfer files to your system Run Linux ransomware binaries directly on Windows systems using Splashtop Remote’s management service (SRManager.exe)
“Linux ransomware binaries offered cross-platform capabilities, allowing attackers to use a single payload to affect both Windows and Linux systems in an environment,” Trend Micro researchers noted.
“The updated samples incorporate Nutanix AHV detection and expand targets to include hyperconverged infrastructure platforms, demonstrating that threat actors are moving beyond traditional VMware deployments and adapting to modern enterprise virtualization environments.”
Source link
