Researchers from Cisco Talos and Trend Micro have observed a sophisticated campaign by the Qilin ransomware group that combines Linux-based payloads with a Bring Your Own Vulnerable Driver (BYOVD) exploit on Windows systems.
According to Cisco Talos, Qilin—also known as Agenda or Water Galura—has claimed dozens of victims monthly throughout 2025. Its affiliates have targeted manufacturing, professional services, and wholesale trade sectors using stolen VPN credentials and remote desktop connections for initial access.
Once inside a network, attackers performed reconnaissance with tools like Mimikatz and SharpDecryptPwd to harvest credentials, moving laterally via remote management tools such as AnyDesk and ScreenConnect. Trend Micro’s analysis confirmed Qilin used Atera and Splashtop for final payload deployment.
The hybrid operation demonstrates Qilin’s evolution: the group reportedly executed a Linux ransomware binary within Windows systems, leveraging a vulnerable “eskle.sys” driver in a BYOVD attack to disable defenses before encryption. Infected systems had logs wiped and shadow copies deleted before ransom notes were dropped.
Talos noted Qilin’s presence across multiple geographies including the U.S., U.K., France, and Germany, marking a broader trend of RaaS operators adopting multi-platform payloads and legitimate IT utilities to obscure malicious activity.