Qilin (also tracked as Agenda, Gold Feather, Water Galura) emerged around mid-2022 and grew into one of 2025’s most active Ransomware-as-a-Service (RaaS) operations. Since the start of 2025 it has claimed dozens of victims monthly — peaking with roughly 100 leak-site postings in June and about 84 victims in both August and September.
The group focuses on data theft plus encryption, and it increasingly uses hybrid, cross-platform techniques to sidestep traditional Windows-only detections.
How attackers gain initial access
Qilin affiliates often start with leaked administrative credentials or stolen VPN credentials. They authenticate via exposed VPN interfaces or other remote entry points. From there, operators use RDP or other remote access methods to reach domain controllers and high-value endpoints. This initial access model favors credential stuffing, purchased dumps, and credential reuse on business services.
Attack chain and key tools
After gaining access, attackers perform system reconnaissance and network discovery. They harvest credentials and escalate privileges using both off-the-shelf and bespoke tools. Observed tooling includes Mimikatz and credential-dumping utilities, along with lightweight utilities to extract saved browser passwords and RDP/Citrix credentials. The actors used scripting (Visual Basic Script) to exfiltrate data to external SMTP servers.
To evade detection, the chain commonly includes:
Execution of PowerShell to disable AMSI and turn off TLS certificate checks.
Use of legitimate tools (AnyDesk, ScreenConnect, Chrome Remote Desktop, Splashtop, Cyberduck, WinSCP) to move laterally and transfer files. Security teams may misclassify these as benign admin traffic. www.trendmicro.com+1
Deployment of backdoors (Cobalt Strike, SystemBC) and process terminators (dark-kill, HRSword) to kill security software.
A significant evolution: Qilin has been observed deploying a Linux ransomware binary on Windows hosts. They transfer the Linux payload to the Windows environment (using tools like WinSCP or Cyberduck) and execute it via legitimate remote management services. This cross-platform trick complicates EDR detection that focuses on Windows binaries.
BYOVD and backup-targeting tactics
Qilin has used bring-your-own-vulnerable-driver (BYOVD) techniques to disable protections and persist. Reports show use of a vulnerable driver (reported as eskle.sys or similar) to interfere with endpoint defenses and allow payload execution with fewer alerts. They also aggressively target backup infrastructure — notably Veeam — harvesting backup credentials and compromising disaster-recovery capabilities before encryption. These actions show a clear intent to worsen recovery odds and increase ransom pressure.
Who gets hit and industry impact
Data compiled by threat intel teams shows the U.S., Canada, the U.K., France, and Germany among the most impacted countries. Target industries include manufacturing (largest share), professional & scientific services, and wholesale trade. Qilin’s tactics make small and medium enterprises, and organizations with weak backup segmentation, especially vulnerable.
Detection challenges
Qilin blends legitimate admin tools and cross-platform code, which reduces noisy alerts. They also:
Wipe Windows event logs and delete Volume Shadow Copies (VSS) before encrypting.
Use SOCKS proxy DLLs, COROXY backdoors, and other obfuscation to hide C2 traffic.
Install popular remote management apps through RMM platforms to hide malicious commands under normal management traffic. These techniques make alerting by behavior harder unless defenders monitor for anomalous use patterns and credential abuse.
Practical mitigations (immediate & long term)
Protect credentials and remote access
Enforce MFA on VPNs, RMM, remote desktop, and backup admin accounts.
Remove or rotate exposed credentials from public dumps.
Harden backups and recovery
Isolate backup admin credentials. Use least privilege and dedicated recovery accounts.
Implement immutable backups and air-gapped restores when possible. Security Affairs
Hunt for abnormal admin tool usage
Alert on unusual AnyDesk/ScreenConnect/Splashtop sessions, especially when followed by file transfers or credential dumps.
Detect BYOVD behavior
Monitor for unknown kernel drivers, unsigned driver loads, or driver installs from nonstandard sources.
Limit lateral movement
Segment networks, restrict RDP, require jump hosts for admin tasks, and log privileged commands centrally.
Test incident response
Run tabletop exercises for a scenario that includes ransom, backup compromise, and log deletion. Ensure IR playbooks cover cross-platform payloads.
Qilin/Agenda demonstrates how RaaS groups evolve. They combine credential abuse, legitimate admin tooling, cross-platform payloads, and BYOVD to evade defenses and cripple recovery options. Organizations must harden access, isolate backups, and detect the unusual use of trusted tools. The defense must focus on credentials, segmentation, and monitoring the behavior behind legitimate remote access.