Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises.

Ransomware

Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises.

By: Jacob Santos, Junestherry Dela Cruz, Sarah Pearl Camiling, Sophia Nilette Robles, Maristel Policarpio, Raymart Yambot

Oct 23, 2025

Read time: ( words)

Save to Folio

Key takeaways:

• Trend™ Research identified Agenda ransomware group, known as Qilin, deploying a Linux-based ransomware binary on Windows hosts by abusing legitimate remote management and file transfer tools. The cross-platform execution sidesteps Windows-centric detections and security solutions, including conventional endpoint detection and response platforms.

• The technique enables low-noise operations that can disable recovery options through the targeted theft of backup credentials and neutralize endpoint defenses via BYOVD attack.

• Agenda has affected more than 700 victims across 62 countries since January 2025, primarily targeting organizations in developed markets and high-value industries. Most victims were in the United States, France, Canada, and the United Kingdom, with manufacturing, technology, financial services, and healthcare among the hardest hit.

• Any environment that uses remote access platforms, centralized backup solutions, or hybrid Windows/Linux infrastructures could be at risk. Enterprises are encouraged to limit the use of remote access tools to authorized hosts and continuously monitor for unusual activity.

• Trend Vision One™ detects and blocks the specific IoCs mentioned in this blog, and offers customers access to hunting queries, threat insights, and intelligence reports related to Agenda ransomware. For more security best practices, see the guidance below.

Trend™ Research identified a sophisticated ransomware attack by the Agenda group that deployed their Linux ransomware variant on Windows systems. This follows a similar attack observed last June 2025, where MeshAgent and MeshCentral was used for deployment. In this recent incident, the threat actors utilized a novel deployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines.

The attack chain demonstrated advanced techniques including usage of Bring Your Own Vulnerable Driver (BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances across various system directories to obfuscate command-and-control (C&C) traffic. The attackers abused legitimate tools, specifically installing AnyDesk through ATERA Networks’ remote monitoring and management (RMM) platform and ScreenConnect for command execution. It abuses Splashtop for the final ransomware execution. They specifically targeted Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting credentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before deploying the ransomware payload.

This attack challenges traditional Windows-focused security controls. The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels.

The combination of BYOVD techniques, fake CAPTCHA social engineering, and the strategic targeting of backup infrastructure shows an approach of ensuring successful ransomware deployment while eliminating recovery options. The use of legitimate tools and cross-platform execution methods makes detection significantly more challenging. Organizations must urgently reassess their security posture to account for these unconventional attack vectors and implement enhanced monitoring of remote management tools and backup system access.

Impact and victimology

Agenda emerged as one of the top ransomware groups in 2025, demonstrating unprecedented operational tempo and global reach. Analysis of their data leak site since January reveals a ransomware-as-a-service (RaaS) operation that systematically targeted organizations across economically developed nations, with a particular focus on the United States, Western Europe, and Japan. The victimology pattern shows opportunistic targeting across multiple high-value sectors, particularly manufacturing, technology, financial services, and healthcare — industries characterized by operational sensitivity, data criticality, and higher likelihood of ransom payment.

[Figure 1. Geographic and sectoral distribution of victims since January 2025 based on the Agenda ransomware group’s leak]

Figure 1. Geographic and sectoral distribution of victims since January 2025 based on the Agenda ransomware group’s leak

download

The group’s willingness to target critical infrastructure, including healthcare facilities and public sector entities, emphasizes their lack of ethical constraints and prioritization of financial gain over potential societal impact. Figure 1 illustrates the geographic and sectoral distribution of Agenda’s 2025 victims as documented on their data leak site, providing a visual representation of the threat actor's extensive global reach and multi-industry impact.

Attack chain

[Figure 2. The Agenda ransomware infection chain]

Figure 2. The Agenda ransomware infection chain

download

Initial Access

We identified that multiple endpoints within the compromised environment had connected to malicious fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure. These pages presented convincing replicas of legitimate Google CAPTCHA verification prompts:

• hxxps://pub-959ff112c2eb41ce8f7b24e38c9b4f94[.]r2[.]dev/Google-Captcha-Continue-Latest-J-KL-3[.]html

• hxxps://pub-2149a070e76f4ccabd67228f754768dc[.]r2[.]dev/I-Google-Captcha-Continue-Latest-27-L-1[.]html

[Figure 3. Screenshot of the webpage hosted on Cloudflare R2, displaying a fake Google CAPTCHA verification prompt designed to trick users into executing malicious commands]

Figure 3. Screenshot of the webpage hosted on Cloudflare R2, displaying a fake Google CAPTCHA verification prompt designed to trick users into executing malicious commands

Analysis of the embedded obfuscated JavaScript within these  fake CAPTCHA pages revealed a multistage payload delivery system that initiated downloads from secondary command-and-control servers:

• 45[.]221[.]64[.]245/mot/

• 104[.]164[.]55[.]7/231/means.d

We assess that the threat actors likely initiated their attack campaign through a sophisticated social engineering scheme involving these  fake CAPTCHA pages. The pages appear to have delivered information stealers to the compromised endpoints, which subsequently harvested authentication tokens, browser cookies, and stored credentials from the infected systems. The presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the Agenda threat actors with the valid accounts necessary for their initial access into the environment. This assessment is further supported by the attackers’ ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques.

Privilege Escalation

The attackers deployed a SOCKS proxy DLL to facilitate remote access and command execution. This proxy was loaded directly into memory using Windows’ legitimate rundll32.exe process, making detection more difficult.

|── C:\Windows\System32\cmd.exe

└── C:\Windows\System32\rundll32.exe

[...]

Original source