A new ransomware campaign by the Qilin group, also known as Agenda, has been discovered combining a Linux payload with a BYOVD (Bring Your Own Vulnerable Driver) technique. This hybrid approach allows the attackers to run Linux-based ransomware on Windows systems while bypassing security tools. Cyber experts say this cross-platform method makes detection and defense much harder for organizations.
The attack begins with the hackers gaining access to company networks through stolen credentials, phishing emails, or exposed remote access tools. Once inside, they install legitimate remote management and file-transfer programs like AnyDesk or ScreenConnect. These trusted tools are then misused to move across systems and deliver their ransomware payload without raising suspicion.
The most dangerous part of this operation is the use of the BYOVD exploit. Instead of creating a new malicious driver, the attackers bring in an existing but vulnerable one that is already digitally signed and trusted by Windows. Using this driver, they can disable or bypass Endpoint Detection and Response (EDR) protections. This makes their activities almost invisible to security software running on the system.
After disabling security defenses, the hackers deploy a Linux-based encryptor on Windows systems a very unusual tactic. Since most antivirus and EDR solutions are built to catch Windows malware, they often fail to recognize Linux binaries. This allows the Qilin ransomware to quietly encrypt important files and spread through the network with little resistance or detection.
Once encryption is complete, the attackers delete system logs and Volume Shadow Copies (VSS) to prevent recovery. They also steal sensitive data before encryption, threatening to leak it if the ransom is not paid a method known as double extortion. Victims are left with both encrypted systems and the fear of public exposure of their confidential information.
Security analysts have confirmed that Qilin has been active since 2022 and has evolved into a full ransomware-as-a-service (RaaS) operation. The group rents its malware to affiliates who carry out attacks on its behalf. In 2025, Qilin became one of the most active ransomware operations worldwide, targeting government networks, private companies, and critical infrastructure systems.
Experts warn that this new hybrid attack highlights how ransomware is rapidly adapting to bypass modern defenses. The combination of legitimate remote tools, a Linux encryptor, and a vulnerable driver gives Qilin’s campaign both stealth and power. Traditional Windows-only security tools are no longer enough to catch such sophisticated, multi-platform threats.
To stay safe, experts recommend enabling multi-factor authentication for all accounts and rotating passwords regularly. Remote access tools should only be used when necessary and monitored closely. Organizations should block untrusted or unsigned drivers, maintain offline backups, and keep their systems updated. These simple but strong measures can make it much harder for groups like Qilin to succeed.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
