The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June.
The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for 84 victims each in the months of August and September 2025. Qilin is known to be active since around July 2022.
According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors.
Attacks mounted by Qilin affiliates have likely leveraged leaked administrative credentials on the dark web for initial access using a VPN interface, followed by performing RDP connections to the domain controller and the successfully breached endpoint.
In the next phase, the attackers conducted system reconnaissance and network discovery actions to map the infrastructure, and executed tools like Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd to facilitate credential harvesting from various applications and exfiltrate the data to an external SMTP server using a Visual Basic Script.
"Commands executed via Mimikatz targeted a range of sensitive data and system functions, including clearing Windows event logs, enabling SeDebugPrivilege, extracting saved passwords from Chrome's SQLite database, recovering credentials from previous logons, and harvesting credentials and configuration data related to RDP, SSH, and Citrix," Talos said.
Further analysis has uncovered the threat actor's use of mspaint.exe, notepad.exe, and iexplore.exe to inspect files for sensitive information, as well as a legitimate tool called Cyberduck to transfer files of interest to a remote server, while obscuring the malicious activity.
The stolen credentials have been found to enable privilege escalation and lateral movement, abusing the elevated access to install multiple Remote Monitoring and Management (RMM) tools like AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. Talos said it could not definitively conclude if the programs were used for lateral movement.
To sidestep detection, the attack chain involves the execution of PowerShell commands to disable AMSI, turn off TLS certificate validation, and enable Restricted Admin, in addition to running tools such as dark-kill and HRSword to terminate security software. Also deployed on the host are Cobalt Strike and SystemBC for persistent remote access.
The infection culminates with the launch of the Qilin ransomware, which encrypts files and drops a ransom note in each encrypted folder, but not before wiping event logs and deleting all shadow copies maintained by the Windows Volume Shadow Copy Service (VSS).
The findings coincide with the discovery of a sophisticated Qilin attack that deployed their Linux ransomware variant on Windows systems and combined it with the bring your own vulnerable driver (BYOVD) technique and legitimate IT tools to bypass security barriers.
"The attackers abused legitimate tools, specifically installing AnyDesk through Atera Networks' remote monitoring and management (RMM) platform and ScreenConnect for command execution. It abuses Splashtop for the final ransomware execution," Trend Micro said.
"They specifically targeted Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting credentials from multiple backup databases to compromise the organization's disaster recovery capabilities before deploying the ransomware payload."
Besides using valid accounts to breach target networks, select attacks have employed spear-phishing and ClickFix-style fake CAPTCHA pages hosted on Cloudflare R2 infrastructure to trigger the execution of malicious payloads. It's assessed that these pages deliver the information stealers necessary to harvest credentials that are then used to obtain initial access.
Some of the crucial steps taken by the attackers are as follows -
- Deploying a SOCKS proxy DLL to facilitate remote access and command execution
- Abusing ScreenConnect's remote management capabilities to execute discovery commands and running network scanning tools to identify potential lateral movement targets
- Targeting the Veeam backup infrastructure to harvest credentials
- Using the "eskle.sys" driver as part of a BYOVD attack to disable security solutions, terminate processes, and evade detection
- Deploying PuTTY SSH clients to facilitate lateral movement to Linux systems
- Using SOCKS proxy instances across various system directories to obfuscate command-and-control (C2) traffic by means of the COROXY backdoor
- Using WinSCP for secure file transfer of the Linux ransomware binary to the Windows system
- Using Splashtop Remote's management service (SRManager.exe) to execute the Linux ransomware binary directly on Windows systems
"The Linux ransomware binary provided cross-platform capability, allowing the attackers to impact both Windows and Linux systems within the environment using a single payload," Trend Micro researchers noted.
"Updated samples incorporated Nutanix AHV detection, expanding targeting to include hyperconverged infrastructure platforms. This demonstrated the threat actors' adaptation to modern enterprise virtualization environments beyond traditional VMware deployments."
