Agenda Ransomware Deploys Linux Variant on Windows for Stealth Attack
Trend Research has detailed a new wave of attacks carried out by the Agenda ransomware group, which has developed the ability to execute a Linux variant of its encryptor within Windows-based environments. This tactic enables the attackers to bypass traditional defenses focused solely on Microsoft platforms, significantly complicating the detection of malicious activity within hybrid infrastructures.
In several major incidents, the attackers leveraged legitimate remote administration tools—using WinSCP to transfer binaries and Splashtop to launch them on target machines—thereby disguising their malicious operations as routine IT tasks. Simultaneously, they employed Bring Your Own Vulnerable Driver (BYOVD) techniques, injecting vulnerable kernel drivers to disable antivirus software, and deployed SOCKS proxies within directories of trusted applications to conceal their command-and-control channels and data exfiltration routes.
The attack also involved meticulous credential harvesting. The adversaries specifically targeted Veeam backup infrastructure, extracting credentials from backup databases and effectively neutralizing recovery mechanisms. For lateral movement, they utilized modified PuTTY clients and remote monitoring and management (RMM) agents, including ATERA and ScreenConnect, establishing multiple, difficult-to-trace access vectors. The result was a cross-platform threat capable of compromising both Windows and Linux nodes within the same environment.
The report’s authors emphasize that such tactics necessitate a fundamental reevaluation of monitoring strategies. Restricting access for RMM agents, securing targeted hosts, safeguarding backup credentials, and continuously auditing anomalous activity can help mitigate risk. Above all, organizations should prioritize privilege management and backup integrity protection as essential pillars of a proactive defense strategy.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
