October 27, 2025 By Pierluigi Paganini
Qilin ransomware group used Linux binaries on Windows to evade EDRs, steal backups, and disable defenses via BYOVD attacks.
Trend Research found that the Qilin ransomware group (aka Agenda) used a Linux ransomware binary on Windows systems via legitimate remote tools, bypassing Windows defenses and EDRs. The cross-platform method enables stealthy attacks, stealing backup credentials and disabling endpoint protections through BYOVD exploits.
The Linux ransomware was deployed on Windows systems using WinSCP for secure file transfer and Splashtop Remote for executing the ransomware binary. The attackers abused AnyDesk via ATERA RMM, ScreenConnect, and MeshCentral to evade detection, and used BYOVD for defense evasion. Attackers also stole Veeam backup credentials to block recovery. Trend Micro highlights that the cross-platform tactic bypasses Windows defenses, showing evolving attacker sophistication.
