Agenda Ransomware Bypasses EDR by Deploying Linux Binary on Windows via Splashtop; Steals Veeam Credentials

Trend Research has uncovered a highly sophisticated ransomware campaign by the Agenda group, also known as Qilin, which deployed a Linux-based ransomware binary on Windows hosts — a rare cross-platform attack designed to bypass traditional endpoint protections.

In its latest investigation, Trend Research revealed that the Agenda ransomware group is “deploying a Linux-based ransomware binary on Windows hosts by abusing legitimate remote management and file transfer tools.” This unique technique allows the threat actors to sidestep “Windows-centric detections and security solutions, including conventional endpoint detection and response platforms.”

The campaign combined WinSCP for secure file transfers with Splashtop Remote for executing Linux binaries directly on Windows systems — effectively bypassing anti-malware defenses not designed to monitor Linux executables on Windows endpoints.

Trend’s analysts confirmed that this tactic “enables low-noise operations that can disable recovery options through the targeted theft of backup credentials and neutralize endpoint defenses via BYOVD attack.”

Since January 2025, Agenda has affected more than 700 victims across 62 countries, primarily targeting organizations in the United States, France, Canada, and the United Kingdom. Trend reported that “manufacturing, technology, financial services, and healthcare” were among the hardest hit industries.

Agenda Cross-Platform Ransomware, Veeam Credential Theft — Attack flow | Image: Trend Research

Agenda’s focus on developed economies and critical sectors demonstrates its financially motivated, opportunistic approach — leveraging its ransomware-as-a-service (RaaS) model to expand rapidly across hybrid IT environments.

The infection chain begins with sophisticated social engineering techniques. Multiple endpoints were found connecting to “malicious fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure.” These fake pages replicated Google’s CAPTCHA verification interface to lure victims into running malicious scripts.

Embedded obfuscated JavaScript within these pages initiated multi-stage payload delivery, downloading files from secondary command-and-control (C2) servers, such as:

45[.]221[.]64[.]245/mot/
104[.]164[.]55[.]7/231/means.d

Trend assessed that “the presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the Agenda threat actors with the valid accounts necessary for their initial access.”

This credential-based entry allowed the attackers to bypass multifactor authentication (MFA) and move laterally using legitimate sessions, avoiding traditional intrusion alerts.

Once inside the network, the attackers established persistence through stealthy administrative manipulation.

Trend observed the creation of a backdoor account named “Supportt”, intentionally chosen to blend in with legitimate IT support profiles. Commands such as net user Supportt ***** /add and net localgroup Administrators Supportt /add granted full privileges.

The attackers also abused legitimate remote monitoring and management (RMM) tools — specifically ATERA Networks, ScreenConnect, and AnyDesk — to maintain redundant remote access channels.

“This dual-RMM approach provided the attackers with redundant remote access capabilities that appeared legitimate to security monitoring systems,” the report explained.

This technique made detection extremely difficult, as the attackers’ operations blended seamlessly into normal administrative traffic.

A particularly alarming discovery was Agenda’s systematic targeting of Veeam backup systems — a critical component in enterprise disaster recovery. Using base64-encoded PowerShell scripts, the attackers extracted credentials from Veeam’s SQL databases, decrypting usernames and passwords across multiple backup repositories.

Trend’s report notes:

“This approach provided the attackers with a comprehensive set of credentials for remote systems, domain controllers, and critical servers stored within the backup infrastructure.”

By stealing and decrypting backup credentials, Agenda effectively neutralized an organization’s ability to recover encrypted systems post-attack — amplifying ransom leverage.

The group also employed a Bring Your Own Vulnerable Driver (BYOVD) attack for anti-virus evasion. The analysis revealed that “the eskle.sys driver was utilized to disable security solutions, terminate processes, and evade detection.”

Interestingly, eskle.sys originated from Thumb World (Beijing) Network Technology Co., Ltd., a gaming vendor whose driver was likely repurposed from anti-cheat software. Trend noted that “the driver could have been repurposed by advanced persistent threat actors.”

In addition, the ransomware dropped multiple other malicious driver files, including rwdrv.sys and hlpdrv.sys, both previously linked to Akira ransomware campaigns. These tools allowed attackers to gain kernel-level control and disable endpoint detection and response (EDR) mechanisms entirely.

After establishing control, the attackers used WinSCP to upload the Linux ransomware payload (mmh_linux_x86-64) to Windows systems. They then executed it through Splashtop’s remote management service:

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
└── C:\Users\<REDACTED>\Desktop\mmh_linux_x86-64

This method enabled cross-platform execution of the ransomware payload, bypassing traditional Windows-focused security controls. The binary featured advanced configuration options, including whitelisting, logging levels, and hypervisor detection to identify VMware ESXi and Nutanix AHV environments.

Trend concluded that “the Linux ransomware binary provided cross-platform capability, allowing the attackers to impact both Windows and Linux systems within the environment using a single payload.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply