27.10.2025
2 min
467
The Qilin hacking group (also known as Agenda, Gold Feather, Water Galura) has become one of the most active in 2025. Its new hybrid attack combines a Linux payload and the BYOVD (Bring Your Own Vulnerable Driver) method, which allows it to bypass antivirus and destroy backups. According to Cisco Talos, Qilin has been attacking more than 40 companies every month since the beginning of 2025, and in June the number of leaks reached 100. The main targets were enterprises in the US, Canada, the UK, France and Germany, in particular in the manufacturing (23%) and scientific (18%) sectors.
Hackers gain initial access through compromised VPN accounts, after which they use RDP connections to penetrate the domain controller. This is followed by network reconnaissance, password collection using Mimikatz, WebBrowserPassView and VBScript scripts that send data to an external SMTP server.
To bypass security systems, legitimate processes are used – mspaint.exe, notepad.exe, iexplore.exe, as well as Cyberduck to transfer files to remote servers. The attackers then use the stolen credentials to elevate privileges and install AnyDesk, Chrome Remote Desktop, ScreenConnect, and other RMM programs.
To remain undetected, Qilin disables AMSI, blocks TLS checks, destroys event logs and shadow copies of Windows. The final phase involves encrypting files and deploying a ransom note to each directory.The Qilin group has been operating as a ransomware-as-a-service (RaaS) since 2022. The latest samples of its malware have revealed cross-platform functionality, allowing it to infect both Windows and Linux systems with a single payload.
According to Trend Micro, in the new campaign, Qilin uses legitimate administration tools such as Atera Networks and Splashtop to deploy ransomware. Particularly dangerous is the targeted destruction of Veeam infrastructure – backup systems, which paralyzes data recovery after an attack. Also detected is the use of the COROXY backdoor for traffic masking, WinSCP for file transfer and the BYOVD exploit eskle.sys, which disables security drivers. The latest Qilin samples even detect Nutanix AHV, demonstrating the transition to attacks on enterprise virtualization environments.
Qilin attacks confirm that modern ransomware operations are turning into full-fledged hacking campaigns using corporate tools. They destroy backups, bypass antivirus and paralyze even complex systems. Protection consists not only in updates and network segmentation, but also in tight control over RMM services, multi-level authentication and monitoring of administrator actions.
