Qilin Ransomware Exploits Windows Subsystem for Linux to Bypass Security

Listen to this Post

Featured Image
The Qilin ransomware operation has emerged as one of the most sophisticated and persistent cybercrime threats in recent years. Originally launched as “Agenda” in August 2022 and rebranded as Qilin by September, this ransomware gang has escalated its attacks worldwide, targeting over 700 victims in 62 countries within the last year alone. Leveraging advanced techniques, Qilin has found ways to bypass traditional security tools, employing both Windows and Linux environments in a hybrid attack strategy that challenges conventional cybersecurity defenses.

A Rising Global Threat

Qilin’s operations have become alarmingly active, with Trend Micro and Cisco Talos reporting that the group averages over 40 new victims per month in the second half of 2025. The attackers rely on a combination of legitimate software and remote management tools, including AnyDesk, ScreenConnect, and Splashtop, to infiltrate networks, steal credentials, and move laterally across systems. Additionally, they exploit everyday Windows utilities such as Microsoft Paint and Notepad to identify sensitive documents before exfiltrating data.

Disabling Security Tools with Vulnerable Drivers

One of Qilin’s most dangerous tactics is using Bring Your Own Vulnerable Driver (BYOVD) attacks to neutralize security software. The attackers deploy signed but vulnerable drivers like eskle.sys to terminate antivirus and EDR processes. They further use DLL sideloading to load additional kernel drivers, such as rwdrv.sys and hlpdrv.sys, which grant kernel-level privileges. Tools like “dark-kill” and “HRSword” are deployed to ensure security programs are disabled and traces of malicious activity erased. According to Cisco Talos, attackers frequently execute commands to uninstall EDR software or stop services directly, while also leveraging open-source tools to bypass security layers.

Linux Encryptors Executed via WSL

In a significant evolution of their tactics, Qilin affiliates have begun executing Linux-based encryptors on Windows systems using Windows Subsystem for Linux (WSL). These Linux ELF executables, originally thought to be cross-platform, cannot run natively on Windows and require a Linux runtime environment. Researchers observed that threat actors transfer the Linux encryptor via WinSCP and launch it through Splashtop’s SRManager.exe within Windows. By enabling or installing WSL, attackers can execute Linux ransomware directly on Windows devices, bypassing conventional Windows EDR solutions that are tuned to detect Windows PE behavior.

Hybrid Attacks Targeting Virtual Machines

The Qilin Linux encryptor shows a particular focus on VMware ESXi virtual machines, with command-line options for debugging, dry runs, and encryption customization. This dual-environment approach highlights the gang’s adaptation to hybrid IT infrastructures, allowing them to maximize reach and impact. Trend Micro emphasizes that this technique reflects ransomware operators’ growing sophistication in navigating both Windows and Linux environments while evading standard detection tools.

What Undercode Say: Analytical Insight

Qilin’s operational evolution underscores a critical trend in ransomware attacks: the shift toward hybrid attacks leveraging multiple operating systems. By using WSL, Qilin is exploiting an often-overlooked feature in Windows that creates blind spots in traditional EDR solutions. Security teams that focus solely on Windows PE processes may miss malicious activity entirely, giving threat actors free rein to encrypt data and move laterally.

The BYOVD method further complicates defense strategies. Deploying vulnerable but signed drivers not only disables security software but can also mislead organizations into underestimating the severity of an attack. Coupled with the use of legitimate remote access tools, Qilin’s methodology blurs the line between normal administrative activity and malicious intrusion, making detection extremely challenging.

Moreover, targeting virtualized environments like VMware ESXi indicates a sophisticated understanding of enterprise infrastructure. Encrypting VM snapshots and managing encryption via command-line scripts allows attackers to execute high-impact attacks while maintaining stealth. This signals a concerning evolution where ransomware is not just an endpoint threat but an infrastructure-level danger capable of disrupting entire enterprise operations.

The fact that Qilin continues to publish 40+ new victims monthly also illustrates the gang’s organizational efficiency. Coordinated affiliate networks, use of hybrid attack vectors, and automation through scripts demonstrate a level of professionalism comparable to state-sponsored cyber operations. For organizations, this represents an urgent call to reassess both security monitoring strategies and incident response protocols.

Finally, Qilin’s operations highlight the growing need for cross-platform threat intelligence. As enterprises increasingly adopt mixed Windows-Linux environments, attackers are adapting faster than many defensive measures. Security teams must consider WSL and other hybrid technologies when designing monitoring, detection, and response strategies, ensuring that endpoints and virtualized environments alike are monitored comprehensively.

Fact Checker Results

✅ Qilin ransomware originated as Agenda in 2022 and rebranded in September.
✅ The gang has targeted over 700 victims in 62 countries in the last year.
❌ Qilin’s Linux encryptors run natively on Windows without WSL; they require WSL to execute.

Prediction 📊

The trend of hybrid ransomware attacks is likely to intensify in 2026, with groups like Qilin further exploiting WSL and virtualized environments. Organizations may face more sophisticated attacks on VMware ESXi and cloud-hosted Linux systems, emphasizing the urgent need for cross-platform threat monitoring. As security tools evolve, ransomware operators will continue to identify blind spots, potentially leading to a surge in undetected high-impact breaches, particularly in enterprise and hybrid IT infrastructures.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon