Cybersecurity researchers have uncovered a sophisticated ransomware campaign where Agenda group threat actors are deploying Linux-based ransomware binaries directly on Windows systems, targeting VMware virtualization infrastructure and backup environments.
This cross-platform execution technique challenges traditional security assumptions and demonstrates how ransomware operators are adapting to bypass endpoint detection systems that primarily focus on Windows-native threats.
The attack campaign leverages a novel deployment method combining legitimate remote management tools with advanced defense evasion tactics.
Attackers utilize WinSCP for secure file transfer and Splashtop Remote for executing Linux ransomware payloads on Windows machines, creating an unconventional attack vector that sidesteps conventional security controls.
The deployment of Linux binaries through remote management channels creates detection challenges for security solutions not configured to monitor cross-platform execution.
Initial access was established through sophisticated social engineering schemes involving fake CAPTCHA pages hosted on Cloudflare R2 infrastructure.
These convincing replicas of Google CAPTCHA verification prompts delivered information stealers to compromised endpoints, systematically harvesting authentication tokens, browser cookies, and stored credentials.
The stolen credentials provided threat actors with valid accounts necessary for initial environment access, enabling them to bypass multifactor authentication and move laterally using legitimate user sessions.
Trend Micro researchers identified that the attack chain demonstrated advanced techniques including Bring Your Own Vulnerable Driver (BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances across various system directories to obfuscate command-and-control traffic.
The attackers abused legitimate tools, specifically installing AnyDesk through ATERA Networks’ remote monitoring and management platform and ScreenConnect for command execution, while utilizing Splashtop for final ransomware execution.
They specifically targeted Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting credentials from multiple backup databases to compromise disaster recovery capabilities before deploying the ransomware payload.
Since January 2025, Agenda has affected more than 700 victims across 62 countries, primarily targeting organizations in developed markets including the United States, France, Canada, and the United Kingdom.
.webp "Agenda Ransomware Actors Deploying Linux RAT on Windows Systems Targeting VMware Deployments 3")
The ransomware-as-a-service operation systematically targeted high-value sectors, particularly manufacturing, technology, financial services, and healthcare industries characterized by operational sensitivity, data criticality, and higher likelihood of ransom payment.
Cross-Platform Ransomware Execution Mechanism
The final ransomware deployment showcased unprecedented cross-platform execution capabilities.
The threat actors utilized WinSCP to securely transfer the Linux ransomware binary to Windows systems, placing the payload on the desktop with a .filepart extension before finalizing the transfer.
The execution method employed Splashtop Remote’s management service (SRManager.exe) to directly run the Linux ransomware binary on Windows platforms:-
C:Program Files (x86)SplashtopSplashtop RemoteServerSRManager.exe
└── C:UsersDesktopmmh_linux_x86-64 Analysis of the Linux ransomware binary revealed extensive configuration capabilities and platform-specific targeting.
The payload implemented comprehensive command-line parameters including debug mode, logging levels, path specifications, whitelist configurations, and encryption control parameters.
Execution required password authentication and displayed verbose configuration output including whitelisted processes, file extension blacklists, and path exclusions.
The configuration demonstrated extensive targeting of VMware ESXi paths such as /vmfs/, /dev/, and /lib64/ while excluding critical system directories, showcasing hypervisor-focused deployment strategies.
Earlier variants implemented operating system detection for FreeBSD, VMkernel (ESXi), and standard Linux distributions, enabling platform-specific encryption behavior.
Updated samples incorporated Nutanix AHV detection, expanding targeting to include hyperconverged infrastructure platforms and demonstrating the threat actors’ adaptation to modern enterprise virtualization environments beyond traditional VMware deployments.
This unconventional execution approach bypassed traditional Windows-focused security controls, as most endpoint detection systems are not configured to monitor or prevent Linux binaries being executed through legitimate remote management tools on Windows platforms.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
