Qilin Ransomware Hybrid Attack

Posted on

Summary
In late-2025 researchers observed the Qilin ransomware operation progressively adopting hybrid, cross-platform attack techniques that allow affiliates to run Linux-based encryptors against predominantly Windows environments while simultaneously using “bring your own vulnerable driver” (BYOVD) methods and legitimate remote monitoring/management (RMM) tooling to bypass defenses and compromise backups. The result is a stealthy, highly effective extortion playbook that targets both resilience (backups) and detection controls.

What happened — attack overview

Researchers from multiple vendors documented incidents in which Qilin affiliates:

  • Obtained initial access primarily via leaked/valid administrative credentials, spear-phishing, and malicious landing pages used to deliver credential-stealers.
  • Used those credentials to access VPN portals and perform RDP sessions to domain controllers and high-value hosts.
  • Performed credential harvesting (Mimikatz, WebBrowserPassView, SharpDecryptPwd, BypassCredGuard and custom scripts) and cleared logs to cover tracks.
  • Installed and abused legitimate RMM and remote access tools (AnyDesk, ScreenConnect, Splashtop, GoToDesk, Chrome Remote Desktop, etc.) for command execution and deployment.
  • Harvested backup credentials (Veeam and others), exfiltrated backups/credentials, and disabled backup/recovery to frustrate restoration.
  • Employed BYOVD (deploying a known vulnerable/unsigned driver such as eskle.sys) to disable or evade security products and terminate defensive processes.
  • Delivered a Linux ELF-format ransomware binary to Windows hosts (via WinSCP / Splashtop / SRManager.exe or via WSL), executed the ELF payload on Windows hosts, and encrypted both Windows and Linux systems in the environment with a single payload.

These combined techniques let Qilin affiliates bypass Windows-focused EDRs, disable protections, and attack backup infrastructure before detonating encryption and publishing stolen data on leak sites.

Important technical details & missing context

How a Linux encryptor executes on Windows

There are multiple observed/feasible mechanisms:

  1. Windows Subsystem for Linux (WSL) — attackers enable or leverage existing WSL on a host and invoke the ELF binary inside WSL so the encryptor runs as a Linux process, often bypassing Windows PE-focused detections. Trend Micro and other vendors observed Qilin abusing WSL as an execution vector.
  2. Remote management tool execution — the adversary transfers the ELF file to the host (e.g., via WinSCP or other file transfer) and then uses a remote management process (Splashtop’s SRManager.exe or other RMM service) to spawn the Linux binary in a manner that avoids usual monitoring. Vendors reported Splashtop being used to execute Linux binaries directly on Windows hosts.
  3. Nested virtualization or side-loading drivers — in some environments the adversary can stage a minimal Linux runtime or misuse signed components to execute ELF payloads; BYOVD drivers may be used to suppress kernel-level EDR protections that would otherwise block this behavior.

BYOVD: what it is and why it matters

“Bring-Your-Own-Vulnerable-Driver” attacks rely on loading a vulnerable or unsigned kernel driver (often one that disables security controls or allows arbitrary kernel memory access). Once loaded, attackers can terminate security processes, tamper with hooking points used by EDRs, or hide artifacts. Qilin affiliates were observed using a driver referred to in reporting as eskle.sys to disable security and kill defensive processes — a classic BYOVD pattern. BYOVD is attractive because it uses legitimately installed drivers (or drivers loaded with elevated privileges) to defeat protections without writing custom kernel code.

Backup targeting & destruction

Qilin’s affiliates systematically harvested credentials from backup products (Veeam and similar), targeted backup servers and databases, and exfiltrated or deleted backup artifacts and shadow copies before encryption. This is not incidental — it’s a deliberate attempt to force ransom payment by removing reliable recovery options. Industry guidance repeatedly highlights that ransomware actors now routinely target backups as a first-class objective.

Indicators of Compromise (IOCs) & behaviors to look for

(Use vendor feeds and your own telemetry to map these to concrete IOCs — hashes and IPs change rapidly.)

  • Unexpected installation or use of RMM tools (AnyDesk, ScreenConnect, Splashtop, Atera) on endpoints or servers.
  • Unusual creation or transfer of ELF binaries onto Windows hosts (file names vary; watch for WinSCP transfers to system directories or C:\ProgramData paths).
  • Signs of WSL being enabled or commands invoking wsl.exe or bash.exe from administrative/system contexts.
  • Driver installation events for unknown or suspicious drivers (e.g., eskle.sys), including unsigned driver loads or drivers with anomalous certificate chains. Monitor Service Control Manager and DriverFrame telemetry.
  • Use of credential theft tools (Mimikatz, WebBrowserPassView, SharpDecryptPwd, BypassCredGuard) and the processes that spawn them.
  • Deletion of Volume Shadow Copies (vssadmin delete shadows /all /quiet, wmic SHADOWCOPY DELETE) and clearing of Windows event logs.
  • C2 tools such as SystemBC, COROXY backdoors, and Cobalt Strike beacons.

Detection recommendations

  • Audit driver loads — log and alert on any new kernel driver installation, especially unsigned or obscure drivers. Correlate with process that requested the load. (Kernel & Sysmon driver load events).
  • Monitor RMM deployments and credential use — create alerts for first-time RMM installs, RMM processes spawning shells, and RMM sessions initiated outside of business hours or from atypical source IPs.
  • WSL/ELF execution detection — alert on wsl.exe or bash.exe invoked by uncommon parents (e.g., explorer.exe launched from System), on unknown ELF files placed under Windows file system, and on Splashtop/remote tool processes spawning non-Windows binaries.
  • Backup system telemetry — centrally collect logs from backup servers (Veeam, etc.) and alert on privileged queries/export actions, large database reads, or backup repositories being reconfigured or deleted.
  • Credential theft behavior detection — watch for LSASS memory access, process injection patterns, and suspicious exports of browser SQLite databases. Correlate with LSA protection toggles and suspicious use of service accounts.
  • Network detection — monitor for SOCKS proxy creation, unusual outbound connections from unexpected directories (indicating COROXY or other proxying), and unknown SSH/WinSCP sessions.

Mitigations — immediate

Immediate

  • Isolate impacted hosts, preserve volatile logs and memory images, and deny further remote RMM access for compromised accounts. (Follow your IR plan.)
  • Disable or block suspicious drivers and remove eskle.sys-like drivers where found — but coordinate with IT/IR to avoid destabilizing systems.
  • Rotate credentials for privileged accounts and service accounts (especially backup system credentials); force MFA where feasible.
  • Ensure backups are offline or immutable and verify recent backup integrity before accepting a restoration plan. CISA guidance emphasizes offline/air-gapped or immutable backup copies.

Incident response checklist

  1. Contain: isolate infected hosts and block RMM sessions and suspicious accounts.
  2. Preserve: collect endpoint images, EDR metadata, and backup logs.
  3. Eradicate: remove malicious drivers, RMM implants, and persistence mechanisms (but validate impact).
  4. Credential remediation: rotate compromised credentials, revoke sessions, require MFA.
  5. Recovery: restore from verified immutable/offline backups after ensuring environment is clean.
  6. Post-incident: full forensics, root-cause analysis, and tabletop exercises to improve controls.

References & further reading

  • Cisco Talos, Uncovering Qilin attack methods exposed through multiple cases .
  • Trend Micro, Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques .
  • The Hacker News, Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack ).
  • Security Affairs, Linux variant of Qilin Ransomware targets Windows via remote management tools and BYOVD .
  • DarkReading, Qilin Targets Windows Hosts with Linux-Based Ransomware .
  • BleepingComputer, Qilin ransomware abuses WSL to run Linux encryptors in Windows .
  • CISA, StopRansomware Guide (official guidance on preparation, detection, and recovery).
  • Blackpoint/industry whitepaper on Qilin (technical appendix / IOCs).

Leave a Reply

Your email address will not be published. Required fields are marked *