Ethical Hacking News
The Qilin Ransomware Threat: A Hybrid Attack That Combines Linux Payload with BYOVD Exploit
Qilin ransomware group has claimed over 40 victims every month since its initial appearance in 2022. The attackers leverage leaked admin credentials and VPN interfaces to gain initial access. They use tools like Mimikatz, WebBrowserPassView.exe, and BypassCredGuard.exe to facilitate credential harvesting. The ransomware group uses mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information. The attackers abuse elevated access to install RMM tools like AnyDesk and Chrome Remote Desktop. The attack chain involves disabling AMSI, turning off TLS certificate validation, and enabling Restricted Admin. The Qilin ransomware combines its Linux variant with BYOVD technique and legitimate IT tools to bypass security barriers. The attackers target Veeam backup infrastructure to harvest credentials and deploy the ransomware payload. The group uses spear-phishing, ClickFix-style fake CAPTCHA pages, and SOCKS proxy DLLs to facilitate malicious payloads. They employ BYOVD attacks using the "eskle.sys" driver to disable security solutions and evade detection. The Qilin ransomware binary provides cross-platform capability for both Windows and Linux systems.
The cybersecurity world has been shaken by the emergence of a new and highly sophisticated ransomware group known as Qilin, also referred to as Agenda, Gold Feather, or Water Galura. This threat actor has been wreaking havoc on organizations worldwide since its initial appearance in 2022, with the most recent data indicating that it claims more than 40 victims every month. The sheer scale and sophistication of this ransomware group have left experts scrambling to understand its tactics, techniques, and procedures (TTPs).
According to a report by Cisco Talos, Qilin has been particularly effective in leveraging leaked administrative credentials on the dark web for initial access using a VPN interface. This is followed by performing RDP connections to the domain controller and the successfully breached endpoint. The attackers then conduct system reconnaissance and network discovery actions to map the infrastructure, and execute tools like Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to facilitate credential harvesting from various applications and exfiltrate data to an external SMTP server using a Visual Basic Script.
The Qilin ransomware group has been observed to use mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information. A legitimate tool called Cyberduck is also used to transfer files of interest to a remote server while obscuring the malicious activity. The stolen credentials have been found to enable privilege escalation and lateral movement, abusing the elevated access to install multiple Remote Monitoring and Management (RMM) tools like AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect.
The attack chain involves the execution of PowerShell commands to disable AMSI, turn off TLS certificate validation, and enable Restricted Admin. Additionally, the attackers deploy on the host Cobalt Strike and SystemBC for persistent remote access. The infection culminates with the launch of the Qilin ransomware, which encrypts files and drops a ransom note in each encrypted folder but not before wiping event logs and deleting all shadow copies maintained by the Windows Volume Shadow Copy Service (VSS).
In recent times, it has been discovered that the sophisticated Qilin attack combines its Linux ransomware variant with the bring your own vulnerable driver (BYOVD) technique and legitimate IT tools to bypass security barriers. The attackers specifically targeted Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting credentials from multiple backup databases to compromise the organization's disaster recovery capabilities before deploying the ransomware payload.
The attackers employ spear-phishing and ClickFix-style fake CAPTCHA pages hosted on Cloudflare R2 infrastructure to trigger the execution of malicious payloads. Some of the crucial steps taken by the attackers include deploying a SOCKS proxy DLL to facilitate remote access and command execution, abusing ScreenConnect's remote management capabilities to execute discovery commands and running network scanning tools to identify potential lateral movement targets.
Furthermore, the attackers target the Veeam backup infrastructure to harvest credentials and use the "eskle.sys" driver as part of a BYOVD attack to disable security solutions, terminate processes, and evade detection. They also deploy PuTTY SSH clients to facilitate lateral movement to Linux systems and use SOCKS proxy instances across various system directories to obfuscate command-and-control (C2) traffic by means of the COROXY backdoor.
The Qilin ransomware binary provides cross-platform capability, allowing attackers to impact both Windows and Linux systems within the environment using a single payload. Updated samples incorporated Nutanix AHV detection, expanding targeting to include hyperconverged infrastructure platforms. This demonstrated the threat actors' adaptation to modern enterprise virtualization environments beyond traditional VMware deployments.
The emergence of the Qilin ransomware group serves as a stark reminder of the evolving nature of cybersecurity threats and their ability to adapt and innovate in response to new technologies and security measures. As organizations continue to navigate the complex landscape of cyber threats, it is essential that they prioritize threat intelligence, incident response planning, and security awareness training to effectively mitigate these types of attacks.
In light of this new information, organizations are advised to take immediate action to review their cybersecurity posture, assess vulnerabilities, and implement robust security measures to prevent similar incidents. Cybersecurity experts also recommend staying vigilant and monitoring for potential Qilin ransomware attacks, as well as keeping their systems up-to-date with the latest patches and software updates.
In conclusion, the discovery of the Qilin ransomware group serves as a critical reminder of the ever-evolving nature of cybersecurity threats. As this threat continues to evolve and adapt, it is essential that organizations prioritize their security posture and take proactive measures to prevent similar incidents from occurring in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Qilin-Ransomware-Threat-A-Hybrid-Attack-That-Combines-Linux-Payload-with-BYOVD-Exploit-ehn.shtml
https://thehackernews.com/2025/10/qilin-ransomware-combines-linux-payload.html
https://securityaffairs.com/183891/malware/linux-variant-of-qilin-ransomware-targets-windows-via-remote-management-tools-and-byovd.html
Published: Mon Oct 27 10:42:17 2025 by llama3.2 3B Q4_K_M
