Qilin Ransomware Surge: How a Sophisticated RaaS Gang Is Evolving Its Playbook

Listen to this Post

Featured Image

Introduction

The Qilin ransomware operation — also tracked under names like Agenda, Gold Feather, and Water Galura — has gone from a persistent nuisance to one of the most prolific ransomware-as-a-service (RaaS) outfits observed in 2025. What began as a steady campaign of targeted intrusions has escalated into a multi-vector, cross-platform threat that blends credential theft, abuse of legitimate remote-management tools, BYOVD (bring-your-own-vulnerable-driver) tricks, and even Linux payloads executed on Windows hosts. The result: an adaptable adversary that can systematically cripple backup and recovery systems, quietly move laterally inside enterprise networks, and deploy encrypted extortion at scale. Below is a careful, human-readable rewrite and expansion of the technical findings, followed by an in-depth analysis of what these behaviors mean for defenders and enterprises.

the original article (condensed, ~30-line paragraph)

Since early 2025 Qilin (aka Agenda / Gold Feather / Water Galura) has claimed dozens of victims each month — more than 40 in every month except January and peaking at 100 postings in June — and in August and September it reportedly hit 84 victims per month, making it one of the most active RaaS operations. Active since roughly July 2022, the group has heavily impacted organizations in the U.S., Canada, the U.K., France, and Germany, focusing on manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%). Cisco Talos analysis indicates Qilin affiliates commonly gain initial access using leaked administrative credentials tied to VPN interfaces, then leverage RDP to reach domain controllers and compromised endpoints. Once inside, they perform network reconnaissance and credential-harvesting with tools like Mimikatz, WebBrowserPassView, BypassCredGuard, and SharpDecryptPwd, exfiltrating data via SMTP using Visual Basic scripts. Attackers have also used common Windows applications (mspaint.exe, notepad.exe, iexplore.exe) to inspect files, and legitimate tools such as Cyberduck to transfer data, masking malicious activity. Harvested credentials are abused for privilege escalation and lateral movement, sometimes installing RMM or remote-access software (AnyDesk, Chrome Remote Desktop, ScreenConnect, Splashtop, etc.) to maintain persistence and execute commands. To evade detection they run PowerShell commands to disable AMSI, skip TLS certificate validation, enable Restricted Admin, and use kill-tools like dark-kill and HRSword to terminate security processes. Cobalt Strike and SystemBC are deployed for persistence and remote control, and final-stage deployment includes file encryption by Qilin ransomware accompanied by wiping event logs and deleting Volume Shadow Copies (VSS). Sophisticated variants have been seen delivering a Linux ransomware binary onto Windows systems using BYOVD (e.g., eskle.sys) and transferring cross-platform payloads via tools like WinSCP and Cyberduck; Splashtop’s SRManager.exe has been used to execute Linux binaries directly on Windows hosts. Trend Micro notes attackers abused RMM platforms like Atera to install AnyDesk and used ScreenConnect and Splashtop for later stages; they specifically targeted Veeam backup infrastructure, harvesting backup credentials so they could undermine disaster recovery before encryption. Other vectors include spear-phishing and fake CAPTCHA/ClickFix-style pages hosted on Cloudflare R2 that deliver information stealers to capture credentials. Additional tactics noted: deploying SOCKS proxy DLLs, abusing ScreenConnect for discovery and scanning, running PuTTY for SSH movement to Linux systems, using COROXY backdoors to obfuscate C2 traffic, and adding Nutanix AHV detection to new samples — showing a shift toward targeting modern virtualization stacks beyond VMware.

What Undercode Say:

Qilin is not a garden-variety ransomware gang with a single gimmick — it’s an evolving, platform-agnostic criminal service that demonstrates clear operational maturity. Several behaviors stand out and should shape how organizations reframe detection, response, and resilience plans.

First, the emphasis on legitimate tool abuse (RMM platforms, AnyDesk, ScreenConnect, Splashtop, Cyberduck, WinSCP, PuTTY) is deliberate. Using trusted administration and file-transfer tools reduces noisy telemetry, evades naive allowlists, and grants attackers powerful remote-control capabilities without needing custom malware in early stages. Defenders should treat anomalous use of management platforms as high-severity telemetry, not noise. Every RMM connection should be logged, profiled for baseline behavior, and subject to just-in-time access controls.

Second, the clear targeting of backup systems — specifically Veeam — is a strategic escalation. Ransomware that systematically harvests backup credentials and sabotages DR capabilities makes victim organizations much likelier to pay. Backup platforms must be isolated, put behind least-privilege access paths, use unique service accounts with no interactive login, and keep air-gapped or immutable copies where feasible. Restore drills need to be frequent and validated; assuming backups exist is no longer enough.

Third, Qilin’s hybrid technique of delivering Linux payloads onto Windows hosts via BYOVD and legitimate management services is a sign of sophistication. Running a Linux binary on Windows using Splashtop or by dropping cross-platform tools lets adversaries reuse one payload across mixed environments and target hyperconverged or virtualized stack components (Nutanix AHV, etc.). Defenders must ensure host integrity checks, monitor for anomalous child processes of remote management services, and inspect kernel-mode drivers (like eskle.sys) that are unsigned or suspicious.

Fourth, the persistent reliance on credential harvesting and leaked credentials indicates that perimeter hardening and credential hygiene remain critical. Multifactor authentication (MFA) for VPNs, remote admin portals, and RMM consoles can significantly blunt these attacks. But MFA alone isn’t a panacea: attackers often harvest tokens, abuse session reuse, or pivot once domain admin credentials are obtained. Credential monitoring, rapid rotation for compromised accounts, and credential vaulting for privileged accounts are essential defenses.

Fifth, the operational playbook shows layered detection evasion: disabling AMSI, turning off TLS checks, and using kill tools to terminate EDR processes. This means defenders should implement multiple, independent detection channels: kernel-level telemetry, network flow analysis, EDR + NDR, and immutable logging forwarded to off-site collectors so attackers cannot simply wipe forensic trails. Event log archiving to an external, tamper-resistant store is a must.

Sixth, the use of Cloudflare R2-hosted fake CAPTCHA pages and spear-phishing to deliver information stealers shows attackers continue to combine high-tech evasion with social engineering. Phishing-resistant architectures (passkeys, hardware tokens), email filtering, and user behavior analytics help — but regular, practical tabletop exercises that simulate these exact hybrid scenarios make security teams faster and more confident in stopping lateral movement.

Seventh, Qilin’s modular, RaaS nature means affiliates with varying skill levels can operate under a common brand with shared tooling and acceptance of innovation (nutanix detection, BYOVD). This accelerates iteration and adaptation; defenders should treat Qilin as a constantly morphing campaign rather than a single static threat ID.

Finally, incident response maturity matters more than ever. Given Qilin’s pattern — reconnaissance, credential theft, backup compromise, tool abuse, and rapid encryption — speed and coordination across IT, backup teams, identity, and third-party vendors determine recovery success. Pre-approved playbooks that include immediate isolation of backup infrastructure, token revocation, and forensic image collection will dramatically reduce impact.

Fact Checker Results

✅ Qilin activity increased in 2025 with peaks mid-year and high monthly victim counts — consistent across multiple vendor reports.

✅ The attack chain commonly involves credential theft, RMM abuse, and backup targeting; these are confirmed techniques in vendor telemetry.

❌ No public evidence that every RMM tool listed is always used for lateral movement; vendors reported installation/use but could not definitively prove all tools were used for lateral movement in every incident.

Prediction

Qilin and similar RaaS ecosystems will continue to blend tool-chain abuse, cloud hosting for phishing infrastructure, and cross-platform payloads — accelerating attacks against backup and virtualization layers. Expect more targeted campaigns that specifically probe hyperconverged and cloud backup APIs, paired with creative uses of legitimate IT tooling to evade detection. Organizations that treat backups as untouchable crown jewels, lock down privileged access with vaulting + MFA, and monitor RMM behavior will reduce ransom outcomes; those that do not will likely see higher-impact incidents. 🔮🛡️

If you’d like, I can convert this into a formatted blog post (HTML/Markdown), craft a short social post to promote it, or generate a concise incident checklist your security team can print and use during an event.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon