Ethical Hacking News
The Qilin ransomware group has been making headlines in recent weeks due to its ability to evade detection by leveraging legitimate remote management tools and BYOVD attacks. The attackers used advanced anti-analysis techniques to disable defenses and move across the network quietly, deploying two executables that load a signed driver to help them evade detection. This is just one example of how sophisticated ransomware groups are evolving to bypass traditional endpoint defences.
The Qilin ransomware group is using legitimate remote management tools and BYOVD (Bring Your Own Virtual Device) attacks to evade traditional endpoint defenses. The attackers leverage Linux binaries on Windows systems, bypassing Windows defenses and EDRs (Endpoint Detection and Response). They target Veeam backup infrastructure, executing Base64-encoded PowerShell scripts to extract and decrypt stored credentials from SQL databases. The attackers use advanced anti-analysis techniques to disable defenses and move across the network quietly. They create a network of distributed C2 by planting multiple COROXY SOCKS proxy instances across trusted application folders. The attackers moved a Linux ransomware binary to Windows using WinSCP and then executed it via Splashtop Remote's SRManager to bypass Windows-focused protections.
The threat landscape is constantly evolving, and one of the most significant challenges for security professionals today is the emergence of sophisticated ransomware groups that can bypass traditional endpoint defenses. One such group, known as the Qilin ransomware group, has been making headlines in recent weeks due to its ability to evade detection by leveraging legitimate remote management tools and BYOVD (Bring Your Own Virtual Device) attacks.
According to a report published by Trend Micro, the Qilin ransomware group uses Linux binaries on Windows systems via legitimate remote tools, bypassing Windows defenses and EDRs (Endpoint Detection and Response). This cross-platform method enables stealthy attacks, stealing backup credentials and disabling endpoint protections through BYOVD exploits. The attackers conducted extensive reconnaissance using ScreenConnect to run discovery commands such as nltest /domain_trusts and net group "domain admins" /domain, while deploying the NetScan utility from user folders to map the network. They installed legitimate remote management tools, AnyDesk via ATERA and ScreenConnect, to maintain persistent access disguised as normal administrative activity.
For credential theft, the attackers targeted the Veeam backup infrastructure, executing Base64-encoded PowerShell scripts to extract and decrypt stored credentials from SQL databases. These scripts retrieved usernames and passwords from key Veeam tables (e.g., Credentials, BackupRepositories, WinServers), exposing domain admin, service, and local administrator accounts. This allowed the attackers to obtain privileged credentials for domain controllers, Exchange servers, SQL databases, and other critical systems.
Attackers used advanced anti-analysis techniques to disable defenses and move across the network quietly. They deployed two executables (2stX.exe and Or2.exe) that load a signed driver, eskle.sys, which performs VM and debugger checks, kills security processes, and helps the threat actors evade detection; the driver’s signature points to a Chinese game-related vendor, suggesting a repurposed cheat driver. A separate malicious DLL, msimg32.dll, acted as a dropper. The library is sideloaded by a legitimate app like FoxitPDFReader.exe and dropped kernel drivers rwdrv.sys and hlpdrv.sys into the Temp folder. Both drivers were previously associated with kernel-level access and EDR termination in other campaigns.
For lateral movement, the attackers staged multiple renamed PuTTY binaries (test.exe, 1.exe, 2.exe, 3.exe) to SSH into Linux hosts, showing a cross-platform operation that combined stealthy defense evasion with broad network reach. The attackers created a network of distributed C2 by planting multiple COROXY SOCKS proxy instances across trusted application folders (Veeam, VMware, Adobe, USOShared), hiding malicious tunnels inside normal app traffic and ensuring redundant communications even if individual proxies were removed.
They moved a Linux ransomware binary to Windows using WinSCP and then executed it via Splashtop Remote’s SRManager to bypass Windows-focused protections. The ransomware required a password to run and displayed detailed configuration output listing whitelisted processes, blocked file extensions, and excluded paths. Like other ransomware, it avoids targeting core system directories. Updated samples added Nutanix AHV detection and improved error/log handling.
By combining BYOVD-style evasion, distributed SOCKS proxies and legitimate remote tools, the attackers achieved resilient, low-noise control and cross-platform encryption capability that undermines traditional endpoint defences and complicates recovery. As concludes the report, "This Agenda attack shows how ransomware operators are further weaponizing legitimate IT tools and hybrid environments to quietly bypass conventional security. Defenses must address operational blind spots and strengthen visibility and control over critical assets."
The Qilin ransomware group is one of the most active RaaS groups in 2025, claiming over 40 victims monthly and peaking at 100 in June. Recently, Resecurity’s researchers detailed how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.
Attackers gained initial access via fake Google CAPTCHA pages hosted on Cloudflare R2, tricking users into running malicious scripts. The fake CAPTCHA pages contained obfuscated JavaScript that launched a multistage payload system, downloading additional malware from two command-and-control servers:
45[.]221[.]64[.]245/mot/
104[.]164[.]55[.]7/231/means.d
Related Information:
https://www.ethicalhackingnews.com/articles/The-Qilin-Ransomware-Group-A-Threat-That-Evades-Traditional-Endpoint-Defenses-ehn.shtml
https://securityaffairs.com/183891/malware/linux-variant-of-qilin-ransomware-targets-windows-via-remote-management-tools-and-byovd.html
Published: Mon Oct 27 11:02:12 2025 by llama3.2 3B Q4_K_M
