Qilin ransomware hybrid Windows/Linux activity with BYOVD
Malware Activity
Summary
Hide ▲
Show ▼
The Qilin ransomware operation is using a Linux ransomware variant on Windows systems with BYOVD and legitimate remote-management tools, broadening its reach and making detection harder. The group has claimed 40+ victims per month since early 2025 and reached 100 leak-site postings in June, showing sustained high-volume activity. Cisco Talos and Trend Micro say the activity has hit the U.S., Canada, the U.K., France, and Germany, with manufacturing and professional services among the most affected sectors. The tradecraft includes leaked credentials, RDP, credential theft, and security-evasion tooling before file encryption and ransom-note deployment.
Related Happenings
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
Salesforce hit by network compromise
Incident
H score81
First: 20.11.2025 18:47
Last: 20.11.2025 18:47
Sources 1
About this happening:
**Salesforce** revoked **refresh tokens** and temporarily removed **Gainsight-published applications** after detecting **unusual activity** that may have enabled **unauthorized ac...
Salesforce hit by network compromise
IncidentAbout this happening: **Salesforce** revoked **refresh tokens** and temporarily removed **Gainsight-published applications** after detecting **unusual activity** that may have enabled **unauthorized ac...
Q3 2025 ransomware cases shift toward compromised VPN credentials
Trend
H score35
First: 19.11.2025 11:40
Last: 19.11.2025 11:40
Sources 1
About this happening:
**Ransomware surged in Q3 2025**, and **compromised VPN credentials** became the most common initial-access route, increasing exposure across remote-access environments. **Three g...
Q3 2025 ransomware cases shift toward compromised VPN credentials
TrendAbout this happening: **Ransomware surged in Q3 2025**, and **compromised VPN credentials** became the most common initial-access route, increasing exposure across remote-access environments. **Three g...
Qilin ransomware activity surge with affiliate-led RaaS operations
Malware Activity
H score33
First: 11.11.2025 18:00
Last: 11.11.2025 18:00
Sources 1
About this happening:
The **Qilin** ransomware operation is seeing a rise in attacks, increasing the risk of **data theft** and **file encryption** across corporate networks. The group relies on an aff...
Qilin ransomware activity surge with affiliate-led RaaS operations
Malware ActivityAbout this happening: The **Qilin** ransomware operation is seeing a rise in attacks, increasing the risk of **data theft** and **file encryption** across corporate networks. The group relies on an aff...
Qilin campaign expands across multiple victims
Campaign
H score38
First: 27.10.2025 17:18
Last: 27.10.2025 17:18
Sources 1
About this happening:
**Qilin** remains a dominant **ransomware-as-a-service (RaaS)** campaign as the market reconsolidates after disruptions to **LockBit** and **RansomHub**. Check Point says Qilin ho...
Qilin campaign expands across multiple victims
CampaignAbout this happening: **Qilin** remains a dominant **ransomware-as-a-service (RaaS)** campaign as the market reconsolidates after disruptions to **LockBit** and **RansomHub**. Check Point says Qilin ho...
Latest development: 03.07.2026 16:00
Check Point said Qilin now holds around 16% of the cybercriminal market share, and Sophos X-Ops CTU data showed 1,496 victims listed on Qilin's data leak site over the last 12 months from July 2026. Comparitech data also said The Gentlemen briefly knocked Qilin off the top spot in June 2026, with The Gentlemen at 115 victims and Qilin at 78, underscoring continued consolidation and competition across the ransomware market.
Timeline
-
27.10.2025 10:55 1 articles · 8mo ago
Qilin hybrid Windows/Linux ransomware tradecraft and impact
Technical Analysis UpdateQilin ransomware activity combines leaked administrative credentials for VPN access and RDP connections with system reconnaissance, credential harvesting, and remote-management abuse. The observed tradecraft uses tools such as Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, SharpDecryptPwd, Cyberduck, PowerShell, dark-kill, HRSword, Cobalt Strike, SystemBC, AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, ScreenConnect, PuTTY SSH clients, and Splashtop Remote's management service (SRManager.exe), while also abusing the eskle.sys driver in a BYOVD attack to disable security solutions and evade detection. The ransomware operation also targets Veeam backup infrastructure, harvests credentials from backup databases, deploys a Linux ransomware variant on Windows systems, and finishes by encrypting files, dropping ransom notes, wiping event logs, and deleting Windows Volume Shadow Copy Service (VSS) shadow copies. Related reporting says the group has claimed more than 40 victims every month since the start of 2025 except January, reached 100 cases in June, and recorded 84 victims each in August and September 2025, with the U.S., Canada, the U.K., France, and Germany among the most impacted countries.
Show sources
- Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack — thehackernews.com — 27.10.2025 10:55