Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

    Thursday, November 13, 2025 In: Threat Research Print

    Date: 11/13/2025

    Severity: Critical

    Summary

    The Agenda ransomware group (Qilin) has been observed deploying Linux-based binaries on Windows hosts using legitimate remote management and file transfer tools. This cross-platform technique evades traditional Windows-focused detections, including many EDR solutions. It enables stealthy operations, disabling recovery through stolen backup credentials and BYOVD-based defense evasion. Since January 2025, Agenda has impacted over 700 victims across 62 countries, mainly in high-value sectors. The U.S., France, Canada, and the U.K. have seen the most incidents, affecting manufacturing, tech, finance, and healthcare. Organizations using remote access or hybrid Windows/Linux setups are urged to restrict access and monitor anomalies.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    http://185.141.216.127/tr.e

    https://pub-2149a070e76f4ccabd67228f754768dc.r2.dev/I-Google-Captcha-Continue-Latest-27-L-1.html 

    https://pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev/Google-Captcha-Continue-Latest-J-KL-3.html 

    https://chatgptitalia.net/ 

    45.221.64.245/mot/ 

    104.164.55.7/231/means.d

    Hash : 

    c0f7c2bb04aa09dae62f0e5feeb7c9c867685abc788ae6b0e6928ad7979dbcaf

    e46bde83b8a3a7492fc79c22b337950fc49843a42020c41c615b24579c0c3251

    f488861f8d3d013c3eef88983de8f5f37bb014ae13dc13007b26ebbd559e356e

    3dba9ba8e265faefce024960b69c1f472ab7a898e7c224145740f1886d97119f

    15e5bf0082fbb1036d39fc279293f0799f2ab5b2b0af47d9f3c3fdc4aa93de67

    331d136101b286c2f7198fd41e5018fcadef720ca0e74b282c1a44310a792e7f

    549a1ae688edfcb2e7a254ac3aded866b378b2e829f1bb8af42276b902f475e6

    454e398869e189874c796133f68a837c9b7f2190b949a8222453884f84cf4a1b

    e38d4140fce467bfd145a8f6299fc76b8851a62555b5c0f825b9a2200f85017c

    5f0253f959d65c45a11b7436301ee5a851266614f811c753231d684eb5083782

    e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c

    16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0

    5fff877789223fa9810a365dfdeafe982c92f346ecd20e003319c3067becd8ba

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "https://chatgptitalia.net/" or url like "https://chatgptitalia.net/" or siteurl like "https://chatgptitalia.net/" or domainname like "https://pub-2149a070e76f4ccabd67228f754768dc.r2.dev/I-Google-Captcha-Continue-Latest-27-L-1.html" or url like "https://pub-2149a070e76f4ccabd67228f754768dc.r2.dev/I-Google-Captcha-Continue-Latest-27-L-1.html" or siteurl like "https://pub-2149a070e76f4ccabd67228f754768dc.r2.dev/I-Google-Captcha-Continue-Latest-27-L-1.html" or domainname like "https://pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev/Google-Captcha-Continue-Latest-J-KL-3.html" or url like "https://pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev/Google-Captcha-Continue-Latest-J-KL-3.html" or siteurl like "https://pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev/Google-Captcha-Continue-Latest-J-KL-3.html" or domainname like "http://185.141.216.127/tr.e" or url like "http://185.141.216.127/tr.e" or siteurl like "http://185.141.216.127/tr.e" or domainname like "104.164.55.7/231/means.d" or url like "104.164.55.7/231/means.d" or siteurl like "104.164.55.7/231/means.d" or domainname like "45.221.64.245/mot/" or url like "45.221.64.245/mot/" or siteurl like "45.221.64.245/mot/" 

    Detection Query 2 :

    sha256hash IN ("16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0","15e5bf0082fbb1036d39fc279293f0799f2ab5b2b0af47d9f3c3fdc4aa93de67","e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c","5f0253f959d65c45a11b7436301ee5a851266614f811c753231d684eb5083782","c0f7c2bb04aa09dae62f0e5feeb7c9c867685abc788ae6b0e6928ad7979dbcaf","e46bde83b8a3a7492fc79c22b337950fc49843a42020c41c615b24579c0c3251","f488861f8d3d013c3eef88983de8f5f37bb014ae13dc13007b26ebbd559e356e","3dba9ba8e265faefce024960b69c1f472ab7a898e7c224145740f1886d97119f","331d136101b286c2f7198fd41e5018fcadef720ca0e74b282c1a44310a792e7f","549a1ae688edfcb2e7a254ac3aded866b378b2e829f1bb8af42276b902f475e6","454e398869e189874c796133f68a837c9b7f2190b949a8222453884f84cf4a1b","e38d4140fce467bfd145a8f6299fc76b8851a62555b5c0f825b9a2200f85017c","5fff877789223fa9810a365dfdeafe982c92f346ecd20e003319c3067becd8ba")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html


    Tags

    BYOVDQilinUnited StatesFranceCanadaUnited KingdomHealthcare and Public HealthCritical ManufacturingFinancial ServicesMalwareRansomwareAgenda

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.