Qilin Ransomware Deploys Linux Payloads and BYOVD Tactics in Hybrid Attacks

Overview and key facts

Security researchers have observed the Qilin ransomware operation — also tracked under the names Agenda, Gold Feather and Water Galura — using a hybrid attack approach that pairs a Linux-capable payload with a BYOVD (Bring Your Own Vulnerable Driver) exploitation technique. Since the start of 2025 the group has posted more than 40 victims each month, with its public leak site reaching approximately 100 cases in June; the operation has emerged as one of the most active ransomware-as-a-service (RaaS) outfits observed so far this year.

Known facts: Qilin is combining Linux-targeting ransomware components with BYOVD-style EDR/AV evasion techniques and maintaining a high cadence of public leak postings through 2025.

Background and why this matters

Ransomware actors increasingly treat enterprise environments as heterogeneous attack surfaces that include both Windows endpoints and Linux infrastructure such as servers, containers and hypervisors. A hybrid capability that targets Linux systems is significant because it expands the number of lucrative targets — file servers, backup appliances and virtualized platforms — and complicates incident response, which traditionally focuses on Windows artifacts and tooling.

BYOVD is a well-known evasive technique in which attackers load or leverage legitimately signed but vulnerable kernel-mode drivers to disable security products or bypass kernel protections. When combined with a Linux payload, BYOVD-style techniques indicate a multi-platform ops model designed to defeat defenders using endpoint detection and response (EDR) and other host-based security controls.

The operational cadence reported for Qilin — dozens of new victim posts every month and a June peak — signals a mature RaaS business model with sufficient operator throughput to sustain frequent intrusions and leak-site activity. For defenders, that means an elevated probability of encountering Qilin or Qilin-inspired tactics across a wide range of industries.

Technical analysis and practitioner commentary

From a defensive and detection standpoint, the combination of Linux payloads plus BYOVD-style evasion presents several technical challenges:

• Cross-platform visibility gaps: Security teams that prioritize Windows telemetry can miss Linux compromise indicators and lateral movement via SSH, container escapes or compromised hypervisor environments.
• Kernel-level evasion: BYOVD techniques operate at the kernel or driver level to neutralize EDR and antivirus protections. Detection requires kernel integrity monitoring and validation of loaded drivers.
• Payload flexibility: A single intrusion chain that deploys both Windows and Linux components implies modular tooling and automated staging — ransomware operators can adapt to whichever hosts they discover during the intrusion.

Actionable technical commentary for practitioners:

• Harden driver usage and loading: Use kernel driver allowlisting where possible and enforce driver signing policies. Audit and block known vulnerable signed drivers that can be abused by attackers.
• Enhance Linux telemetry: Ensure collection of system call logs, auditd, kernel logs and process execution paths. Monitor for unusual loads of ELF binaries, unexpected use of SSH keys, and rapid file modification patterns typical of encryption routines.
• Kernel integrity and attestation: Deploy solutions that can detect unauthorized kernel modifications and monitor for anomalous driver loads or symbol table changes. On platforms that support it, enable Secure Boot and UEFI protections to reduce kernel-level tampering risk.
• Coordinate cross-platform IR playbooks: Prepare unified response plans that cover Windows and Linux containment, including steps for isolating ESXi or other hypervisor hosts and preserving volatile memory and kernel state for forensic analysis.

Comparable trends, risks and recommendations

Comparable and widely reported trends in the ransomware landscape help contextualize the Qilin activity:

• Ransomware-as-a-service proliferation: Multiple high-impact groups operate RaaS models that facilitate frequent, distributed attacks. This commoditization increases attack volume and the diversity of tactics in use.
• Linux targeting: Over recent years ransomware families have expanded to include Linux and ESXi-targeted modules, reflecting the value of enterprise server infrastructure to extortion operations.
• EDR evasion techniques: Threat actors routinely leverage driver-based evasion, living-off-the-land binaries, and credential theft to bypass defenses; BYOVD is one of several methods to neutralize host protections.

Potential operational and business risks:

• Backup and recovery disruption: If attackers target backup servers or snapshot repositories on Linux hosts, recovery windows may increase and insurers may dispute claims if backups are accessible from compromised hosts.
• Extended dwell time: Kernel-level evasion can mask attacker activity and delay detection, increasing data exfiltration and lateral movement opportunities.
• Regulatory and reputational harm: Data leaks and extended outages attract regulatory scrutiny and client distrust, particularly for organizations in healthcare, finance, critical infrastructure and managed service providers (MSPs).

Practical, prioritized recommendations for defenders:

• Patch management: Prioritize patches for both OS and third-party kernel drivers. Track vendor advisories for signed driver vulnerabilities and remove or replace vulnerable drivers.
• Network segmentation and least privilege: Limit lateral spread by segmenting server populations, restricting administrative access to Linux hosts, and enforcing MFA for privileged accounts and SSH access.
• Immutable and air-gapped backups: Maintain off-line or air-gapped backups and test restores regularly. Ensure backup credentials are segregated from general administrative accounts.
• Hunt for suspicious driver loads and kernel artifacts: Use EDR and SIEM to hunt for anomalous driver loads, kernel module insertions, and sudden disabling of security agents.
• Threat intelligence and leak monitoring: Subscribe to ransomware leak-site monitoring and integrate indicators of compromise (IOCs) into blocking/monitoring controls to get early warning of active targeting.
• Incident response readiness: Validate runbooks for hybrid environments, ensure cross-team coordination (Windows, Linux, cloud/hypervisor), and rehearse containment scenarios that include kernel forensics and evidence preservation.

Conclusion

Qilin’s combination of Linux-targeting payloads and BYOVD-style evasion underscores a persistent evolution in ransomware tactics: operators are expanding beyond Windows endpoints to compromise server and virtualization infrastructure while using kernel-level tricks to blunt detection. The group’s sustained leak-site activity through 2025 highlights both operational scale and the real risk these hybrid campaigns pose to enterprise resiliency.

For defenders the priorities are clear: expand cross-platform visibility, harden driver and kernel protections, segregate backups and administrative access, and exercise incident response plans that span Windows and Linux environments. Proactive monitoring for driver misuse and improved telemetry on Linux hosts will reduce the window attackers need to achieve encryption and exfiltration.

Source: thehackernews.com