The ransomware group known as Quillin (aka Agenda, Gold Feather, and Water Gallura) has claimed more than 40 victims every month since the beginning of 2025, except January, with the number of postings on its data leak site hitting a high of 100 cases in June.
This development comes as Ransomware-as-a-Service (RaaS) operations have emerged as one of the most active ransomware groups, with 84 victims in the months of August and September 2025. Kilin is believed to be active from around July 2022.
According to data compiled by Cisco Talos, the US, Canada, UK, France, and Germany are some of the countries most affected by Killin. Attacks primarily involved the manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors.
The attacks carried out by Qulin affiliates leveraged administrative credentials leaked on the dark web for initial access using a VPN interface, followed by an RDP connection to the domain controller and successfully breached endpoint.
In the next phase, the attackers conducted system reconnaissance and network discovery actions to map the infrastructure, and executed tools such as Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and StripecryptPwd to facilitate credential harvesting from various applications and Visual Basic. Sent data to external SMTP server using script.
“Commands executed through Mimikatz targeted a range of sensitive data and system functions, including clearing the Windows event log, enabling SeDebugPrivilege, extracting saved passwords from Chrome’s SQLite database, recovering credentials from previous logons, and logging in from RDP, SSH, and Citrix.” This includes collecting relevant credential and configuration data,” Talos said.
Further analysis revealed the threat actor’s use of mspaint.exe, Notepad.exe, and iexplore.exe to inspect files for sensitive information, as well as a legitimate tool called Cyberduck to transfer files of interest to a remote server, obscuring the malicious activity.
Stolen credentials were found to enable privilege escalation and lateral movement, abusing elevated access to install multiple remote monitoring and management (RMM) tools such as AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. Talos said it could not be concluded with certainty whether the programs were used for lateral movement or not.
To avoid detection, the attack chain includes executing PowerShell commands to disable AMSI, turning off TLS certificate verification, and enabling restricted admin, in addition to running tools like dark-kill and HRSword to eliminate security software. Cobalt Strike and SystemBC are also deployed on the host for continuous remote access.
The infection ends with the launch of the Killin ransomware, which encrypts files and leaves a ransom note in each encrypted folder, but not before erasing the event logs and deleting all shadow copies created by the Windows Volume Shadow Copy Service (VSS).
The findings match the discovery of a sophisticated Qilyn attack, which deployed its Linux ransomware variant on Windows systems and combined it with its own vulnerable driver (BYOVD) technology and legitimate IT tools to circumvent security barriers.
Trend Micro said, “The attackers misused legitimate tools, specifically Atera Networks’ Remote Monitoring and Management (RMM) platform and installed AnyDesk via ScreenConnect for command execution. It misused Splashtop for final ransomware execution.”
“They specifically targeted the Veeam backup infrastructure using specialized credential extraction tools, systematically collecting credentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before deploying the ransomware payload.”
In addition to using legitimate accounts to break into the target network, select attacks have employed spear-phishing and ClickFix-style fake CAPTCHA pages hosted on Cloudflare R2 infrastructure to trigger the execution of malicious payloads. It has been assessed that these pages provide thieves with the information necessary to obtain the credentials that are used to gain initial access.
Some important steps taken by the attackers are as follows –
- Deploying SOCKS proxy DLL to facilitate remote access and command execution
- Abusing ScreenConnect’s remote management capabilities to execute search commands and run network scanning tools to identify potential lateral movement targets
- Targeting Veeam backup infrastructure to obtain credentials
- Using the “eskle.sys” driver as part of a BYOVD attack to disable security solutions, terminate processes, and avoid detection
- Deploying PuTTY ssh client to facilitate lateral movement in linux system
- Using SOCKS proxy instances in different system directories to obfuscate command-and-control (C2) traffic through the COROXY backdoor
- Using WinSCP for Secure File Transfer of Linux Ransomware Binaries to Windows System
- Using Splashtop Remote’s Management Service (SRManager.exe) to execute Linux ransomware binaries directly on Windows systems
“The Linux ransomware binary provided cross-platform capability, allowing attackers to affect both Windows and Linux systems within the environment using the same payload,” Trend Micro researchers said.
“The updated samples incorporated Nutanix AHV detection, expanding targeting to include hyperconverged infrastructure platforms. This demonstrated threat actors’ adaptation to modern enterprise virtualization environments beyond traditional VMware deployments.”
