{ "id": "e809d9a7-dcb2-4b4f-b63d-06633f940e2a", "created_at": "2026-04-29T02:20:37.01005Z", "updated_at": "2026-04-29T08:22:20.566495Z", "deleted_at": null, "sha1_hash": "2255ca9c734d2bc4a7ae000766936a05e538d27e", "title": "Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1048690, "plain_text": "Agenda Ransomware Deploys Linux Variant on Windows Systems\r\nThrough Remote Management Tools and BYOVD Techniques\r\nPublished: 2025-10-23 · Archived: 2026-04-29 02:11:45 UTC\r\nRansomware\r\nTrend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows\r\nsystems. This cross-platform execution can make detection challenging for enterprises.\r\nBy: Jacob Santos, Junestherry Dela Cruz, Sarah Pearl Camiling, Sophia Nilette Robles, Maristel Policarpio,\r\nRaymart Yambot Oct 23, 2025 Read time: 11 min (2930 words)\r\nSave to Folio\r\nKey takeaways:\r\nTrend™ Research identified Agenda ransomware group, known as Qilin, deploying a Linux-based\r\nransomware binary on Windows hosts by abusing legitimate remote management and file transfer tools.\r\nThe cross-platform execution sidesteps Windows-centric detections and security solutions, including\r\nconventional endpoint detection and response platforms.\r\nThe technique enables low-noise operations that can disable recovery options through the targeted theft of\r\nbackup credentials and neutralize endpoint defenses via BYOVD attack.\r\nAgenda has affected more than 700 victims across 62 countries since January 2025, primarily targeting\r\norganizations in developed markets and high-value industries. Most victims were in the United States,\r\nFrance, Canada, and the United Kingdom, with manufacturing, technology, financial services, and\r\nhealthcare among the hardest hit.\r\nAny environment that uses remote access platforms, centralized backup solutions, or hybrid\r\nWindows/Linux infrastructures could be at risk. Enterprises are encouraged to limit the use of remote\r\naccess tools to authorized hosts and continuously monitor for unusual activity.\r\nTrend Vision One™ detects and blocks the specific IoCs mentioned in this blog, and offers customers\r\naccess to hunting queries, threat insights, and intelligence reports related to Agenda ransomware. For more\r\nsecurity best practices, see the guidance below.\r\nTrend™ Research identified a sophisticated ransomware attack by the Agenda group that deployed their Linux\r\nransomware variant on Windows systems. This follows a similar attack observed last June 2025, where\r\nMeshAgent and MeshCentral was used for deployment. In this recent incident, the threat actors utilized a novel\r\ndeployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux\r\nransomware binary on Windows machines.\r\nThe attack chain demonstrated advanced techniques including usage of Bring Your Own Vulnerable Driver\r\n(BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances across various system\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 1 of 16\n\ndirectories to obfuscate command-and-control (C\u0026C) traffic. The attackers abused legitimate tools, specifically\r\ninstalling AnyDesk through ATERA Networks’ remote monitoring and management (RMM) platform and\r\nScreenConnect for command execution. It abuses Splashtop for the final ransomware execution. They specifically\r\ntargeted Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting\r\ncredentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before\r\ndeploying the ransomware payload.\r\nThis attack challenges traditional Windows-focused security controls. The deployment of Linux ransomware on\r\nWindows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not\r\nconfigured to detect or prevent Linux binaries executing through remote management channels.\r\nThe combination of BYOVD techniques, fake CAPTCHA social engineering, and the strategic targeting of backup\r\ninfrastructure shows an approach of ensuring successful ransomware deployment while eliminating recovery\r\noptions. The use of legitimate tools and cross-platform execution methods makes detection significantly more\r\nchallenging. Organizations must urgently reassess their security posture to account for these unconventional attack\r\nvectors and implement enhanced monitoring of remote management tools and backup system access.\r\nImpact and victimology\r\nAgenda emerged as one of the top ransomware groups in 2025, demonstrating unprecedented operational tempo\r\nand global reach. Analysis of their data leak site since January reveals a ransomware-as-a-service (RaaS) operation\r\nthat systematically targeted organizations across economically developed nations, with a particular focus on the\r\nUnited States, Western Europe, and Japan. The victimology pattern shows opportunistic targeting across multiple\r\nhigh-value sectors, particularly manufacturing, technology, financial services, and healthcare — industries\r\ncharacterized by operational sensitivity, data criticality, and higher likelihood of ransom payment.\r\nThe group’s willingness to target critical infrastructure, including healthcare facilities and public sector entities,\r\nemphasizes their lack of ethical constraints and prioritization of financial gain over potential societal impact.\r\nFigure 1 illustrates the geographic and sectoral distribution of Agenda’s 2025 victims as documented on their data\r\nleak site, providing a visual representation of the threat actor's extensive global reach and multi-industry impact.\r\nAttack chain\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 2 of 16\n\nInitial Access\r\nWe identified that multiple endpoints within the compromised environment had connected to malicious fake\r\nCAPTCHA pages hosted on Cloudflare R2 storage infrastructure. These pages presented convincing replicas of\r\nlegitimate Google CAPTCHA verification prompts:\r\nhxxps://pub-959ff112c2eb41ce8f7b24e38c9b4f94[.]r2[.]dev/Google-Captcha-Continue-Latest-J-KL-3[.]html\r\nhxxps://pub-2149a070e76f4ccabd67228f754768dc[.]r2[.]dev/I-Google-Captcha-Continue-Latest-27-L-1[.]html\r\nFigure 3. Screenshot of the webpage hosted on Cloudflare R2, displaying a fake Google CAPTCHA\r\nverification prompt designed to trick users into executing malicious commands\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 3 of 16\n\nAnalysis of the embedded obfuscated JavaScript within these  fake CAPTCHA pages revealed a multistage\r\npayload delivery system that initiated downloads from secondary command-and-control servers:\r\n45[.]221[.]64[.]245/mot/\r\n104[.]164[.]55[.]7/231/means.d\r\nWe assess that the threat actors likely initiated their attack campaign through a sophisticated social engineering\r\nscheme involving these  fake CAPTCHA pages. The pages appear to have delivered information stealers to the\r\ncompromised endpoints, which subsequently harvested authentication tokens, browser cookies, and stored\r\ncredentials from the infected systems. The presence of valid credentials used throughout the attack chain strongly\r\nsuggests that these stolen credentials provided the Agenda threat actors with the valid accounts necessary for their\r\ninitial access into the environment. This assessment is further supported by the attackers’ ability to bypass\r\nmultifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed\r\nharvested credentials rather than relying on traditional exploitation techniques.\r\nPrivilege Escalation\r\nThe attackers deployed a SOCKS proxy DLL to facilitate remote access and command execution. This proxy was\r\nloaded directly into memory using Windows’ legitimate rundll32.exe process, making detection more difficult.\r\n |── C:\\Windows\\System32\\cmd.exe\r\n└── C:\\Windows\\System32\\rundll32.exe\r\n└── rundll32.exe socks64.dll,rundll\r\n└── C:\\ProgramData\\Veeam\\socks64.dll\r\nA backdoor administrative account named “Supportt” was created to ensure persistent elevated access. This\r\naccount name was likely chosen to blend in with legitimate support accounts commonly found in enterprise\r\nenvironments.\r\nnet user Supportt ***** /add\r\nnet localgroup Administrators Supportt /add\r\nThe legitimate administrator account password was also reset to maintain control and prevent legitimate\r\nadministrators from regaining access.\r\nnet user Administrator *****\r\nDiscovery\r\nExtensive reconnaissance was conducted to map the network infrastructure. The attackers abused ScreenConnect’s\r\nlegitimate remote management capabilities to execute discovery commands through temporary command scripts,\r\nsystematically enumerating domain trusts and identifying privileged accounts while appearing as normal\r\nadministrative activity:\r\nnltest /domain_trusts\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 4 of 16\n\nnet group \"domain admins\" /domain\r\nNetwork scanning tools were deployed across multiple locations to discover additional systems, services, and\r\npotential lateral movement targets. The NetScan utility was executed from both the Desktop and Documents\r\nfolders to perform comprehensive network enumeration.\r\nC:\\Users\\Administrator.\u003cREDACTED\u003e\\Desktop\\netscan.exe\r\nC:\\Users\\Administrator.\u003cREDACTED\u003e\\Documents\\netscan.exe\r\nRemote management tools were strategically installed through legitimate RMM platforms to blend with normal IT\r\noperations. ATERA Networks’ agent was leveraged to deploy AnyDesk version 9.0.5, while ScreenConnect\r\nprovided an additional command execution vector. This dual-RMM approach provided the attackers with\r\nredundant remote access capabilities that appeared legitimate to security monitoring systems, allowing them to\r\nmaintain persistent access even if one tool was discovered and removed.\r\nCredential Access\r\nThe attackers specifically targeted Veeam backup infrastructure to harvest credentials, recognizing that backup\r\nsystems often store credentials for accessing multiple systems across the enterprise. PowerShell scripts were\r\nexecuted with base64-encoded payloads to extract and decrypt stored credentials from Veeam databases, via\r\npowershell.exe -e [base64-encoded payload].\r\nWhen decoded, these scripts revealed systematic targeting of multiple Veeam backup databases, each containing\r\ncredentials for different segments of the infrastructure:\r\nSQL Database Queries:\r\nSELECT [user_name], [password] FROM [VeeamBackup].[dbo].[Credentials]\r\nTargeted tables: Credentials, BackupRepositories, WinServers\r\nCompromised Account Types:\r\nDomain administrator accounts: DOMAIN\\admin-***, DOMAIN\\da-backup-***\r\nService accounts: svc-sql-***, DOMAIN\\veeam-svc-***, svc-exchange-***\r\nLocal administrators: SERVER01\\Administrator, SERVER02\\localadmin\r\nScript Details:\r\nDecryption key found in script: 0jmz9Hrgy08rc0XrNpQ***[REDACTED]***\r\nAffected systems: Domain controllers, Exchange servers, SQL databases, file servers, backup repositories\r\nThis approach provided the attackers with a comprehensive set of credentials for remote systems, domain\r\ncontrollers, and critical servers stored within the backup infrastructure.\r\nDefense Evasion\r\nThe attackers deployed sophisticated anti-analysis tools to evade security solutions. Further probe confirmed that\r\nboth 2stX.exe and Or2.exe utilize the eskle.sys driver for anti-AV capabilities through a BYOVD attack:\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 5 of 16\n\nC:\\Users\\Administrator.\u003cREDACTED\u003e\\Downloads\\2stX.exe\r\nC:\\Users\\Administrator.\u003cREDACTED\u003e\\Downloads\\Or2.exe\r\nC:\\Users\\Administrator.\u003cREDACTED\u003e\\Downloads\\2stX\\eskle.sys\r\nThe eskle.sys driver was utilized to disable security solutions, terminate processes, and evade detection. Although\r\nthese files could have been downloaded or copied onto the machine earlier, the origin of the eskle.sys driver is\r\nunclear. Its digital signature lists the vendor as “拇指世界(北京)网络科技有限公“ (translated: Thumb World\r\n(Beijing) Network Technology Co., Ltd.), which appears to be associated with the game.bb site. The driver likely\r\nbelongs to a game-related package and is commonly used by cheat developers to evade anti-cheat systems;\r\nhowever, it could also be repurposed by advanced persistent threat actors.\r\nThe eskle.sys driver forcibly stops programs by creating a handle to the target process, starting a new thread to run\r\na termination routine, and cleaning up the handle. This enables it to disable security software, disrupt system\r\noperations, and maintain persistence.\r\nAn additional component named msimg32.dll was identified in our internal telemetry alongside relations to\r\nThrottleStop.sys. Further analysis through controlled testing revealed that msimg32.dll functions as a dropper that\r\ndeploys two driver files when executed:\r\nC:\\Users\\Administrator.\u003cREDACTED\u003e\\Downloads\\msimg32.dll\r\nUpon successful execution, the following drivers were dropped:\r\n%TEMP%\\rwdrv.sys\r\n%TEMP%\\hlpdrv.sys\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 6 of 16\n\nThis connection is significant, as both rwdrv.sys and hlpdrv.sys have been previously documented in Akira\r\ncampaigns for gaining kernel-level access and potentially terminating traditional endpoint detection and response\r\n(EDR) solutions. Analysis revealed that msimg32.dll employs a DLL sideloading technique, requiring a legitimate\r\nhost executable for proper execution. The DLL failed to load through standard methods like regsvr32 or rundll32.\r\nHowever, testing confirmed successful loading when placed alongside compatible binaries, such as\r\nFoxitPDFReader.exe, which imports msimg32.dll as a dependency. Upon execution, the application loads the\r\nmalicious DLL, which then drops both driver files to the system’s temporary directory, as shown in Figure 5.\r\nFigure 6. File system view showing hlpdrv.sys and rwdrv.sys dropped by msimg32.dll in the\r\nWindows Temp directory after DLL sideloading execution\r\nAdditionally, we observed and analyzed three other executables (cg6.exe, 44a.exe, aa.exe) that were identified as\r\npotential anti-AV tools based on their behavioral patterns and code similarities. Analysis revealed that these\r\nexecutables contain driver-loading routines and process manipulation capabilities consistent with BYOVD\r\ntechniques. These tools are suspected to utilize a different vulnerable driver (fnarw.sys), though definitive\r\nconfirmation remains pending as the driver was unavailable for complete analysis:\r\nC:\\Users\\\u003cREDACTED\u003e\\Desktop\\cg6.exe\r\nC:\\Users\\\u003cREDACTED\u003e\\Desktop\\44a.exe\r\nC:\\Users\\\u003cREDACTED\u003e\\Desktop\\aa.exe\r\nLateral Movement\r\nMultiple PuTTY SSH clients were systematically deployed on compromised systems to facilitate lateral\r\nmovement to Linux systems within the environment. The attackers staged these tools with different filenames but\r\nidentical functionality:\r\nC:\\Users\\\u003cREDACTED\u003e\\Desktop\\test.exe\r\nC:\\Users\\\u003cREDACTED\u003e\\Desktop\\1.exe\r\nC:\\Users\\\u003cREDACTED\u003e\\Desktop\\2.exe\r\nC:\\Users\\\u003cREDACTED\u003e\\Desktop\\3.exe\r\nThese renamed PuTTY executables enabled the attackers to establish SSH connections to Linux infrastructure,\r\nexpanding their reach beyond Windows systems and demonstrating the cross-platform nature of the attack.\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 7 of 16\n\nFigure 7. PuTTY SSH client interface, deployed under various filenames (e.g., test.exe, 1.exe,\r\n2.exe, 3.exe) on compromised systems\r\nCommand and Control\r\nThe threat actors established a C\u0026C infrastructure through the deployment of multiple SOCKS proxy instances,\r\nidentified as COROXY backdoor. These proxies were systematically placed across various system directories to\r\ncreate a distributed network of communication channels that obfuscated malicious traffic patterns and evaded\r\nnetwork monitoring solutions.\r\nThe attackers positioned these SOCKS proxies in directories associated with legitimate enterprise software,\r\nincluding Veeam backup solutions, VMware virtualization infrastructure, and Adobe applications. This placement\r\nstrategy served a dual purpose: blending malicious C\u0026C traffic with normal application communications while\r\nexploiting the trust typically afforded to these well-known software vendors in enterprise environments.\r\nC:\\ProgramData\\Veeam\\socks64.dll\r\nC:\\ProgramData\\USOShared\\socks64.dll\r\nC:\\ProgramData\\VMware\\logs\\socks64.dll\r\nC:\\ProgramData\\Adobe\\socks64.dll\r\nC:\\ProgramData\\Veeam\\Backup\\OracleLogBackup\\socks64.dll\r\nThe distributed nature of this SOCKS proxy deployment provided the attackers with redundant communication\r\nchannels, ensuring persistent C\u0026C capabilities even if individual proxies were discovered and removed. Each\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 8 of 16\n\nproxy instance functioned as an independent tunnel for encrypted communications, allowing the threat actors to\r\nmaintain remote access, exfiltrate data, and orchestrate subsequent attack stages while remaining concealed within\r\nlegitimate network traffic flows.\r\nImpact\r\nThe final ransomware deployment showcased cross-platform execution. WinSCP was utilized for secure file\r\ntransfer of the Linux ransomware binary to the Windows system:\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Programs\\WinSCP\\WinSCP.exe\r\n└── C:\\Users\\\u003cREDACTED\u003e\\Desktop\\mmh_linux_x86-64.filepart\r\n└── C:\\Users\\\u003cREDACTED\u003e\\Desktop\\mmh_linux_x86-64\r\nUnique to the technique was the use of Splashtop Remote’s management service (SRManager.exe) to execute the\r\nLinux ransomware binary directly on Windows systems:\r\nC:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRManager.exe\r\n└── C:\\Users\\\u003cREDACTED\u003e\\Desktop\\mmh_linux_x86-64\r\nTo execute the Linux binary on Windows systems, the attackers likely enabled Windows Subsystem for Linux\r\n(WSL), which allows native Linux executables to run directly on Windows without requiring a full virtual\r\nmachine. They may have enabled WSL through automated scripts or manually installed it via PowerShell or\r\ncommand line, ensuring the environment was ready for running Linux-based malware. Through the remote access\r\nprovided by Splashtop, they could then deploy and execute the Linux ransomware binary within the WSL\r\nenvironment.\r\nThis unconventional approach appears to combine legitimate remote management tools with WSL to deploy\r\ncross-platform malware, potentially evading traditional Windows-focused security controls. The execution method\r\nis significant, as most endpoint detection systems might not be configured to monitor Linux binaries being\r\nexecuted through WSL, especially when initiated via legitimate remote management tools. The Linux ransomware\r\nbinary possibly provided cross-platform capability, allowing the attackers to impact both Windows and Linux\r\nsystems within the environment using a single payload.\r\nLinux variant ransomware analysis\r\nAnalysis of the Linux ransomware binary revealed an advanced cross-platform payload with extensive\r\nconfiguration capabilities and platform-specific targeting.\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 9 of 16\n\nFigure 8. Ransom note extracted from the binary\r\nThe ransomware deployed a standard Agenda ransom note threatening data publication and providing victim-specific credentials for negotiation. The note included file extension, and domain/login/password fields for\r\naccessing the threat actors’ communication portal.\r\nFigure 9. Command-line parameters\r\nThe binary implemented comprehensive command-line options including debug mode (-d), logging levels (-l),\r\npath specifications (-p), whitelist configurations, and encryption control parameters. Notable features included\r\ntimer delays (-t) for delayed execution and a “yes” mode (-y) for automated operation without user prompts,\r\nindicating operational maturity.\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 10 of 16\n\nFigure 10. Screenshot showing how the application outputs its configuration to the console upon\r\nlaunch; a password must also be provided\r\nExecution required password authentication and displayed verbose configuration output including whitelisted\r\nprocesses, file extension blacklists, and path exclusions. The configuration showed extensive targeting of VMware\r\nESXi paths (/vmfs/, /dev/, /lib64/) while excluding critical system directories, demonstrating hypervisor-focused\r\ndeployment strategies.\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 11 of 16\n\nFigure 11. OS detection from previous variants\r\nEarlier variants implemented OS detection for FreeBSD, VMkernel (ESXi), and standard Linux distributions,\r\nenabling platform-specific encryption behavior, as shown in Figure 13.\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 12 of 16\n\nFigure 12. Recent sample with added OS checking for Nutanix\r\nUpdated samples incorporated Nutanix AHV detection, expanding targeting to include hyperconverged\r\ninfrastructure platforms. This demonstrated the threat actors’ adaptation to modern enterprise virtualization\r\nenvironments beyond traditional VMware deployments.\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 13 of 16\n\nFigure 13. Old sample with its logging routine\r\nFigure 14. New sample with minor modification in its logging routine\r\nComparison of logging routines revealed incremental improvements in error handling, with newer variants\r\nimplementing enhanced file operation logging and fallback mechanisms for failed log file creation. The\r\nmodifications included additional error messages and improved diagnostic output for troubleshooting deployment\r\nissues. The Linux variant’s advanced capability, combined with cross-platform deployment via Splashtop Remote,\r\nrepresented significant tactical evolution targeting hybrid infrastructure environments.\r\nSecurity best practices\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 14 of 16\n\nThis Agenda attack shows how ransomware operators are further weaponizing legitimate IT tools and hybrid\r\nenvironments to quietly bypass conventional security. Defenses must address operational blind spots and\r\nstrengthen visibility and control over critical assets. Here are some best practices:\r\nSecure remote access and RMM tools. Limit RMM platforms to authorized management hosts and\r\nenforce MFA. Monitor for abnormal activity, such as logins outside business hours or lateral movement\r\nbetween unexpected endpoints. Consider restricting what applications or scripts are allowed to run on\r\nspecific systems to reduce the risk of abusing legitimate binaries for malicious activity.\r\nHarden the backup infrastructure. Targeted backup systems to steal credentials and disable recovery.\r\nSegment backup networks, enforce the principle of least privilege, rotate admin credentials as needed, and\r\nmonitor for the suspicious use of administrative tools such as PowerShell or SQL queries interacting with\r\nbackup credentials. Consider token or account revocation mechanisms to contain compromise if credentials\r\nare exposed.\r\nAccount for detecting BYOVD and cross-platform threats. BYOVD attacks involve threat actors\r\ninstalling legitimate but vulnerable drivers to escalate privileges, disable security controls, or hide activity.\r\nThese are risky because they exploit trusted components, often bypassing traditional AV/EDR. Monitor for\r\nunsigned or unexpected driver loads, DLL sideloading, and Linux binary execution on Windows through\r\nremote tools. Expand detection rules to cover payloads not native to the system.\r\nExtend visibility across hybrid environments. Ensure that the organization’s EDR and SOC playbooks\r\ninclude both Windows and Linux telemetry and actively monitor internal lateral movement to detect early\r\nstages of hybrid ransomware attacks.\r\nProtect credentials and access tokens. Apply phishing-resistant MFA, strengthen conditional access\r\npolicies, and monitor for abnormal use of privileged accounts or tokens.\r\nProactive Security with Trend Vision One™\r\nTrend Vision One™products is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk\r\nexposure management and security operations, delivering robust layered protection across on-premises, hybrid,\r\nand multi-cloud environments.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insightsproducts which\r\nprovides the latest insights from Trend™ Research on emerging threats and threat actors.\r\nTrend Vision One Threat Insights\r\nThreat Actors: Water Galura\r\nEmerging Threats: Agenda Ransomware Deploys Linux Variant on Windows Systems through Remote\r\nManagement Tools and BYOVD Techniques  \r\nTrend Vision One Intelligence Reports (IOC Sweeping)\r\nAgenda Ransomware Deploys Linux Variant on Windows Systems through Remote Management Tools and\r\nBYOVD Techniques  \r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 15 of 16\n\nHunting Queries\r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nOutbound Connection to Suspicious Remote Host on Port 4396 - Agenda Ransomware\r\neventSubId: 204 AND dst: 146.70.104.163 AND dpt: 4396 AND LogType: detection  \r\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled. \r\nIndicators of Compromise\r\nIndictors of compromise can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nhttps://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "report_names": [ "agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-29T06:58:56.786897Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-29T06:58:57.756962Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "466e2ca5-1e92-49a6-8b6e-4a0ef8ede5de", "created_at": "2025-10-29T02:00:52.027586Z", "updated_at": "2026-04-29T06:58:57.878304Z", "deleted_at": null, "main_name": "Water Galura", "aliases": [ "Water Galura", "GOLD FEATHER" ], "source_name": "MITRE:Water Galura", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "016f38de-9fb8-4e7a-9422-bee62c008839", "created_at": "2024-06-19T02:03:08.04408Z", "updated_at": "2026-04-29T06:58:57.619513Z", "deleted_at": null, "main_name": "GOLD FEATHER", "aliases": [ "Water Galura " ], "source_name": "Secureworks:GOLD FEATHER", "tools": [ "Qilin" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1777429237, "ts_updated_at": 1777450940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2255ca9c734d2bc4a7ae000766936a05e538d27e.pdf", "text": "https://archive.orkl.eu/2255ca9c734d2bc4a7ae000766936a05e538d27e.txt", "img": "https://archive.orkl.eu/2255ca9c734d2bc4a7ae000766936a05e538d27e.jpg" } }