Qilin ransomware hybrid Windows/Linux activity with BYOVD
Malware Activity
Summary
Hide ▲
Show ▼
The Qilin ransomware operation is using a Linux ransomware variant on Windows systems with BYOVD and legitimate remote-management tools, broadening its reach and making detection harder. The group has claimed 40+ victims per month since early 2025 and reached 100 leak-site postings in June, showing sustained high-volume activity. Cisco Talos and Trend Micro say the activity has hit the U.S., Canada, the U.K., France, and Germany, with manufacturing and professional services among the most affected sectors. The tradecraft includes leaked credentials, RDP, credential theft, and security-evasion tooling before file encryption and ransom-note deployment.
Related Happenings
Salesforce hit by network compromise
Incident
First: 20.11.2025 18:47
Last: 20.11.2025 18:47
Sources 1
About this happening:
**Salesforce** revoked **refresh tokens** and temporarily removed **Gainsight-published applications** after detecting **unusual activity** that may have enabled **unauthorized ac...
Salesforce hit by network compromise
IncidentAbout this happening: **Salesforce** revoked **refresh tokens** and temporarily removed **Gainsight-published applications** after detecting **unusual activity** that may have enabled **unauthorized ac...
Q3 2025 ransomware cases shift toward compromised VPN credentials
Target Trend
First: 19.11.2025 11:40
Last: 19.11.2025 11:40
Sources 1
About this happening:
**Ransomware surged in Q3 2025**, and **compromised VPN credentials** became the most common initial-access route, increasing exposure across remote-access environments. **Three g...
Q3 2025 ransomware cases shift toward compromised VPN credentials
Target TrendAbout this happening: **Ransomware surged in Q3 2025**, and **compromised VPN credentials** became the most common initial-access route, increasing exposure across remote-access environments. **Three g...
Qilin ransomware activity surge with affiliate-led RaaS operations
Malware Activity
First: 11.11.2025 18:00
Last: 11.11.2025 18:00
Sources 1
About this happening:
The **Qilin** ransomware operation is seeing a rise in attacks, increasing the risk of **data theft** and **file encryption** across corporate networks. The group relies on an aff...
Qilin ransomware activity surge with affiliate-led RaaS operations
Malware ActivityAbout this happening: The **Qilin** ransomware operation is seeing a rise in attacks, increasing the risk of **data theft** and **file encryption** across corporate networks. The group relies on an aff...
Qilin's 2025 dominance as the most active ransomware group
Threat Actor Meta
First: 08.10.2025 04:00
Last: 08.10.2025 04:00
Sources 1
About this happening:
In **2025**, **Qilin** emerged as the most active ransomware group, signaling a high-throughput **ransomware-as-a-service** operation with broad pressure on enterprise targets. It...
Qilin's 2025 dominance as the most active ransomware group
Threat Actor MetaAbout this happening: In **2025**, **Qilin** emerged as the most active ransomware group, signaling a high-throughput **ransomware-as-a-service** operation with broad pressure on enterprise targets. It...
Latest development: 15.12.2025 13:15
Asahi Group Holdings CEO Atsushi Katsuki said on December 15 that the company is elevating cybersecurity to a top management priority, considering a dedicated cybersecurity unit, scrapping VPNs, and adopting a stricter zero-trust model after the September 29 Qilin ransomware attack disrupted main systems, automated order and shipping processes, and exposed personal data.
Salesloft hit by network compromise
Incident
First: 13.09.2025 12:04
Last: 13.09.2025 12:04
Sources 1
About this happening:
**Salesloft/Drift** is a **token abuse incident** tied to a **GitHub account breach** at Salesloft that began as early as **March 2025** and led to compromise of the **Drift appli...
Salesloft hit by network compromise
IncidentAbout this happening: **Salesloft/Drift** is a **token abuse incident** tied to a **GitHub account breach** at Salesloft that began as early as **March 2025** and led to compromise of the **Drift appli...
Timeline
-
27.10.2025 10:55 1 articles · 7mo ago
Qilin hybrid Windows/Linux ransomware tradecraft and impact
Technical Analysis UpdateQilin ransomware activity combines leaked administrative credentials for VPN access and RDP connections with system reconnaissance, credential harvesting, and remote-management abuse. The observed tradecraft uses tools such as Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, SharpDecryptPwd, Cyberduck, PowerShell, dark-kill, HRSword, Cobalt Strike, SystemBC, AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, ScreenConnect, PuTTY SSH clients, and Splashtop Remote's management service (SRManager.exe), while also abusing the eskle.sys driver in a BYOVD attack to disable security solutions and evade detection. The ransomware operation also targets Veeam backup infrastructure, harvests credentials from backup databases, deploys a Linux ransomware variant on Windows systems, and finishes by encrypting files, dropping ransom notes, wiping event logs, and deleting Windows Volume Shadow Copy Service (VSS) shadow copies. Related reporting says the group has claimed more than 40 victims every month since the start of 2025 except January, reached 100 cases in June, and recorded 84 victims each in August and September 2025, with the U.S., Canada, the U.K., France, and Germany among the most impacted countries.
Show sources
- Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack — thehackernews.com — 27.10.2025 10:55