Agenda ransomware group, popularly known as Qilin, has been abusing legitimate remote management and file transfer tools, security researchers revealed in a new disclosure. By deploying a Linux-based ransomware binary on Windows hosts, the threat actor has affected more than 700 victims since January 2025.
According to Trend Micro findings, the cross-platform execution sidesteps Windows-centric detections and security solutions, including conventional endpoint detection and response platforms. The technique used by the Agenda ransomware group can also disable recovery options through the targeted theft of backup credentials and by Bring Your Own Vulnerable Driver (BYOVD) attack to neutralize endpoint defenses.
“Agenda’s campaign is dangerous because it fuses cross-platform execution with remote-management abuse and driver-level tampering. Running a Linux encryptor through Windows remote tools and using BYOVD to kill EDR creates a potent, detection-resistant mix,” said Chirag Mehta, vice president and principal analyst at Constellation Research.
The attack playbook
To gain initial access, Agenda used a sophisticated social engineering scheme involving fake CAPTCHA pages to deliver information stealers to the compromised endpoints. This helped the threat actor obtain valid credentials, including authentication tokens, browser cookies, and stored credentials from the infected systems, facilitating them to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, Trend Micro noted.
SOCKS proxy DLL was loaded directly into memory using Windows’ legitimate rundll32.exe process for gaining remote access and command execution. The threat actors created a backdoor administrative account named “Supportt.”
For mapping network infrastructure, the attacker abused ScreenConnect’s legitimate remote management capabilities to execute discovery commands. This was carried out using temporary command scripts, systematically enumerating domain trusts and identifying privileged accounts while appearing as normal administrative activity. The NetScan utility was executed from both the Desktop and Documents folders to perform comprehensive network enumeration.
Even remote management tools such as ATERA Networks’ agent for the deployment of AnyDesk version 9.0.5 were installed through legitimate RMM platforms to blend with normal IT operations. These techniques ensured threat actors had redundant remote access capabilities that appeared legitimate to security monitoring systems.
Recognizing backup systems often store credentials for accessing multiple systems across the enterprise, Veeam backup infrastructure was specifically targeted using PowerShell scripts to harvest credentials.
To sneak past the security solutions and even disable them, the threat actors used multiple methods trough BYOVD. The 2stX.exe and Or2.exe were deployed that utilized eskle.sys driver to disable security software, disrupt system operations, and maintain persistence. The msimg32.dll was used as a dropper for deploying two additional driver files. Three additional executables (cg6.exe, 44a.exe, aa.exe) were also identified as potential anti-AV tools.
Multiple PuTTY SSH clients were systematically deployed on compromised systems that allowed attackers to establish SSH connections to Linux infrastructure, expanding their reach beyond Windows systems.
After establishing command and control infrastructure by using multiple SOCKS proxy instances associated with Veeam backup solutions, VMware virtualization infrastructure, and Adobe applications, the final ransomware was deployed.
File transfer was done through WinSCP, and the Linux ransomware binary was executed through Splashtop Remote’s SRManager.exe on Windows systems.
Agenda Ransomware has attacked organizations in high-value sectors across manufacturing, technology, financial services, and healthcare, with a higher likelihood of ransom payment. The impact spans across 62 countries with most of its victims in the US, France, Canada, and the UK.
Fixing the gaps
Threat actors are now exploiting legitimate IT tools and hybrid infrastructures to quietly sidestep conventional defenses, calling for CISOs to rethink security strategies.
Mehta added that when Linux binaries execute on Windows through a remote tool, your Windows-only detections won’t save.
He added, Agenda Ransomware exploits Windows-centric assumptions, under-protected RMM tools, and neglected driver monitoring. Most organizations still underestimate how much control attackers gain once they compromise RMM agents and backup credentials. So, they should start with identity, RMM, hypervisors, and backups as these control planes drive scale for attackers. Close cross-platform detection gaps and enforce kernel driver integrity to blunt BYOVD and lateral Linux/Windows execution paths.
Also, considering manufacturing, healthcare, and tech are deeply reliant on RMM and file-transfer tools, replacing them isn’t realistic. Instead, CIOs should consolidate to approved platforms, enforce JIT and session-based access, and segregate management traffic from production systems, noted Mehta
Lastly, treat backups as a separate security domain with isolated networks, independent credentials, immutable copies, and continuous database monitoring for credential access. The key is to assume the backup controller itself could be compromised.
No Responses