Qilin, also tracked as Agenda, Gold Feather, and Water Galura, has become one of the most active ransomware-as-a-service operations since mid-2022. In 2025 the group averaged more than 40 victims per month, peaking at around 100 data-leak posts in June, and reaching 84 victims in both August and September 2025. Cisco Talos data shows significant impact in the U.S., Canada, the U.K., France, and Germany, with manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) among the most targeted sectors.
Attack chain and initial access
Qilin affiliates frequently obtain leaked administrative credentials from the dark web, then use a VPN interface to access target networks, followed by RDP connections to domain controllers and compromised endpoints. After access, the attackers perform system reconnaissance and network discovery, mapping the environment to identify high-value systems.
Credential theft and lateral movement
The actors deploy a suite of credential-harvesting tools, including Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd, and exfiltrate harvested data to external SMTP servers using Visual Basic scripts. Mimikatz commands observed included clearing Windows event logs, enabling SeDebugPrivilege, extracting saved Chrome passwords from SQLite databases, recovering cached logon credentials, and harvesting authentication data for RDP, SSH, and Citrix. Researchers also observed the use of legitimate Windows programs, such as mspaint.exe and notepad.exe, and a legitimate FTP client, Cyberduck, to inspect and transfer sensitive files, helping hide malicious activity.
Persistence and remote control techniques
The attackers leverage valid credentials to escalate privileges and install multiple remote monitoring and management (RMM) tools, such as AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. While Talos could not confirm whether all these tools were used for lateral movement, they were clearly part of the attackers’ operational toolkit. To evade detection, the threat actors execute PowerShell commands that disable AMSI, bypass TLS certificate validation, and enable Restricted Admin mode. They also deploy utilities like dark-kill and HRSword to terminate security processes, and use Cobalt Strike and SystemBC to establish and maintain remote access.
Advanced hybrid techniques, BYOVD, and cross-platform impact
In a notable escalation, Qilin operators combined a Linux-targeting ransomware binary with a bring-your-own-vulnerable-driver (BYOVD) technique to defeat security controls on Windows hosts. The campaign abused RMM platforms (for example, AnyDesk installed via Atera Networks, and ScreenConnect) to run commands and execute payloads, and used Splashtop for the final ransomware execution. Researchers noted targeted attacks on Veeam backup infrastructure, where specialized credential-extraction tools were used to harvest backup credentials, weakening disaster recovery before encryption.
Key steps observed include:
- Deploying a SOCKS proxy DLL to enable remote command execution.
- Abusing ScreenConnect management features to run discovery and scanning tools.
- Installing and using the “eskle.sys” driver as part of BYOVD to disable security solutions and terminate processes.
- Moving laterally to Linux systems with PuTTY SSH clients, and transferring the Linux ransomware binary via WinSCP.
- Obfuscating C2 traffic using SOCKS proxies and the COROXY backdoor.
- Executing the Linux binary on Windows via Splashtop Remote’s management service (SRManager.exe).
Trend Micro analysts highlighted that the Linux binary enabled a single payload to impact both Windows and Linux systems, increasing operational efficiency and damage potential. Updated samples also included detection for Nutanix AHV environments, showing expansion beyond traditional VMware-focused targeting.
Delivery methods and social engineering
Besides credential-based intrusions, some Qilin attacks began with spear-phishing, or with weaponized fake CAPTCHA pages, similar to ClickFix scams, hosted on Cloudflare R2 storage. Those pages drop information stealers that harvest credentials, which are then used for initial access.
Impact and recommended mitigations
Qilin operations focus on data theft, backup compromise, and encryption, often wiping event logs and deleting shadow copies before deploying ransomware, which complicates recovery. Organizations should prioritize:
- Securing and rotating privileged credentials, including backup and RMM accounts.
- Enforcing multi-factor authentication on administrative and remote-access accounts.
- Monitoring for suspicious RMM activity and unusual use of legitimate admin tools.
- Hardening backup systems, segregating backup credentials, and testing recovery procedures regularly.
- Detecting and blocking exploitation techniques such as BYOVD, and monitoring for unsigned or unusual kernel drivers.
- Applying least privilege, network segmentation, and robust endpoint protections that can detect post-exploitation toolsets like Mimikatz and Cobalt Strike.
