The ransomware-as-a-service operation known as Qilin, formerly operating under the name “Agenda,” has adopted a new hybrid attack method that leverages the Windows Subsystem for Linux (WSL) to run Linux-based encryptors directly on Windows hosts. This shift allows the group to bypass many Windows-focused endpoint security tools, significantly expanding its ability to target cross-platform enterprise environments.
Exploiting WSL for Cross-Platform Encryption
Security researchers discovered that Qilin affiliates are transferring Linux ELF binaries onto compromised Windows systems using tools like WinSCP and executing them through the WSL environment. By using WSL, the attackers can execute Linux payloads natively within Windows without needing traditional virtualization or dual-boot configurations.
This approach gives Qilin an operational advantage: Linux binaries running inside Windows are often overlooked by traditional antivirus and endpoint detection systems that are trained primarily to monitor Windows PE files. This tactic not only helps the group evade detection but also broadens the ransomware’s reach across hybrid infrastructures that rely on both Windows and Linux.
Advanced Tradecraft and Attack Techniques
Qilin’s evolving toolkit combines several advanced tactics to bypass detection and maximize damage:
- Abusing legitimate remote management tools such as AnyDesk, ScreenConnect, and Splashtop Remote to maintain access, perform reconnaissance, and move laterally within networks while blending into normal administrative activity.
- Employing Bring Your Own Vulnerable Driver (BYOVD) attacks, where outdated but signed drivers like eskle.sys are installed to disable antivirus and endpoint protection services, gaining kernel-level control.
- Targeting backup infrastructures, including tools such as Veeam Backup & Replication, to steal administrative credentials, delete shadow copies, and prevent system recovery after encryption.
Qilin’s operators have also been observed using data-exfiltration scripts to upload sensitive information to remote servers before encryption begins, amplifying extortion pressure through double-extortion tactics.
Scale and Impact Across Global Sectors
In 2025, Qilin has been linked to more than 700 ransomware incidents across 62 countries, with notable increases in attacks during the second half of the year. The group primarily targets manufacturing, healthcare, financial services, and professional sectors. Victims have been identified in the United States, Canada, the United Kingdom, France, and Germany.
The group’s reengineered payloads are developed in Rust and Go, allowing for cross-compilation across Windows and Linux systems. This architectural flexibility has made Qilin one of the more sophisticated ransomware-as-a-service operations currently active, capable of adapting its attacks to diverse enterprise networks.
Defensive Recommendations for Enterprises
To defend against this new wave of hybrid ransomware attacks, organizations should adopt the following measures:
- Disable or restrict WSL on enterprise endpoints that do not require it for business operations.
- Implement strict application allow-listing for WSL distributions and Linux binaries executed on Windows systems.
- Closely monitor remote management tools for unauthorized installations or anomalous use.
- Audit kernel-level drivers regularly to detect vulnerable or unsigned modules that may be abused for BYOVD attacks.
- Harden backup environments, enforce least-privilege access, rotate credentials, enable immutable backups, and require multifactor authentication for all backup operations.
- Deploy cross-platform Extended Detection and Response (EDR) tools capable of analyzing both Windows and Linux system behaviors.
Evolving Ransomware Landscape
The exploitation of WSL to deploy Linux encryptors on Windows marks a strategic milestone in ransomware development. Threat actors are no longer limited by operating-system silos; they are now executing platform-agnostic payloads that take advantage of integrated enterprise ecosystems.
Security analysts warn that such hybrid attacks will likely become more common as ransomware groups seek stealthier methods to persist within networks. The Qilin campaign underscores a clear trend in 2025 — ransomware operations are evolving beyond single-platform attacks toward fully integrated, cross-environment intrusion chains.
