The ransomware group known as Qilin, which also operates under the aliases Agenda, Gold Feather, and Water Galura, has intensified its operations by employing a hybrid attack strategy. This method combines a Linux payload with a Bring Your Own Vulnerable Driver (BYOVD) exploit. Active since approximately July 2022, the ransomware-as-a-service (RaaS) operation has emerged as one of the most active threat groups of 2025.

Qilin’s Prolific Campaign in 2025

Qilin’s data leak site reveals a significant surge in activity throughout 2025. The group claimed over 40 victims every month of the year, with the exception of January. This activity reached a peak in June with 100 posted cases and remained high with 84 victims documented in both August and September. According to data compiled by Cisco Talos, Qilin’s campaigns have disproportionately affected specific countries and sectors. The most impacted nations include the U.S., Canada, the U.K., France, and Germany. The attacks have primarily targeted the manufacturing sector, which accounts for 23% of victims, followed by professional and scientific services at 18%, and wholesale trade at 10%.

Initial Access and Attack Methodology

The initial access vector for attacks conducted by Qilin affiliates involves the use of leaked administrative credentials. These credentials, obtained from the dark web, are leveraged to gain entry through a VPN interface. Following the initial breach, the attackers proceed by establishing Remote Desktop Protocol (RDP) connections to the domain. This established foothold allows for the deployment of their ransomware payload. This multi-stage process underscores the group’s methodical approach to network infiltration before executing the final ransomware attack, which leverages the combination of a Linux-based payload and a BYOVD exploit to maximize impact and evade security measures.