Agenda Ransomware Deploys Linux Variant on Windows Systems via WinSCP and Splashtop
Agenda (Qilin) ransomware has been observed deploying a Linux binary on Windows hosts by abusing WinSCP and Splashtop Remote, evading Windows-centric EDR and targeting backup infrastructure.
Trend Micro researchers have uncovered a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems, marking a significant evolution in cross-platform ransomware tactics. The group, also known as Qilin, abused legitimate remote management and file transfer tools—WinSCP for secure file transfer and Splashtop Remote for execution—to sidestep Windows-centric endpoint detection and response (EDR) platforms. This technique allows the ransomware to operate with lower noise and evade defenses that are not configured to monitor Linux binaries running through remote management channels.
The attack chain began with initial access via fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure. These pages mimicked legitimate Google CAPTCHA prompts, tricking users into executing malicious payloads. Once inside, the attackers deployed Bring Your Own Vulnerable Driver (BYOVD) techniques to neutralize endpoint defenses, and set up multiple SOCKS proxy instances across system directories to obfuscate command-and-control (C2) traffic. They also abused legitimate remote monitoring and management (RMM) platforms, including ATERA Networks and ScreenConnect, for command execution, with Splashtop used for the final ransomware deployment.
A key focus of the attack was the targeted theft of credentials from Veeam backup infrastructure. The attackers used specialized credential extraction tools to harvest credentials from multiple backup databases, systematically compromising the organization's disaster recovery capabilities before deploying the ransomware payload. This dual approach—disabling defenses and eliminating recovery options—reflects a highly calculated strategy to maximize the likelihood of successful encryption and ransom payment.
Since January 2025, Agenda has affected more than 700 victims across 62 countries, primarily targeting organizations in the United States, France, Canada, and the United Kingdom. The hardest-hit sectors include manufacturing, technology, financial services, and healthcare—industries characterized by operational sensitivity and data criticality. The group's willingness to target critical infrastructure, including healthcare facilities and public sector entities, underscores its prioritization of financial gain over societal impact.
This attack follows a similar incident observed in June 2025, where MeshAgent and MeshCentral were used for deployment. The shift to WinSCP and Splashtop demonstrates the group's adaptability and continuous refinement of its tactics. The use of legitimate tools and cross-platform execution methods makes detection significantly more challenging for traditional security controls.
Trend Micro recommends that enterprises limit the use of remote access tools to authorized hosts, continuously monitor for unusual activity, and ensure that EDR solutions are configured to detect Linux binaries executing through remote management channels. The company's Trend Vision One platform detects and blocks the specific indicators of compromise (IoCs) mentioned in the report and offers hunting queries and threat intelligence related to Agenda ransomware.
The emergence of cross-platform ransomware deployment highlights a broader trend in the threat landscape, where attackers increasingly leverage legitimate tools and hybrid environments to bypass security controls. Organizations must urgently reassess their security posture to account for these unconventional attack vectors and implement enhanced monitoring of remote management tools and backup system access.