TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

Raymart Yambot · 2025-10-23 · Read original ↗

ATT&CK techniques detected

33 predictions
T1486Data Encrypted for Impact
99%
“agenda ransomware deploys linux variant on windows systems through remote management tools and byovd techniques ransomware agenda ransomware deploys linux variant on windows systems through remote management tools and byovd techniques trend™ research identified a sophisticated ag…”
T1486Data Encrypted for Impact
98%
“configured to monitor linux binaries being executed through wsl, especially when initiated via legitimate remote management tools. the linux ransomware binary possibly provided cross - platform capability, allowing the attackers to impact both windows and linux systems within the…”
T1486Data Encrypted for Impact
95%
“ransomware deploys linux variant on windows systems through remote management tools and byovd techniques trend vision one intelligence reports ( ioc sweeping ) hunting queries trend vision one search app trend vision one customers can use the search app to match or hunt the malic…”
T1486Data Encrypted for Impact
95%
“various system directories to obfuscate command - and - control ( c & c ) traffic. the attackers abused legitimate tools, specifically installing anydesk through atera networks ’ remote monitoring and management ( rmm ) platform and screenconnect for command execution. it abuses …”
T1219Remote Access Tools
91%
“technology, financial services, and healthcare among the hardest hit. - any environment that uses remote access platforms, centralized backup solutions, or hybrid windows / linux infrastructures could be at risk. enterprises are encouraged to limit the use of remote access tools …”
T1219Remote Access Tools
89%
“various system directories to obfuscate command - and - control ( c & c ) traffic. the attackers abused legitimate tools, specifically installing anydesk through atera networks ’ remote monitoring and management ( rmm ) platform and screenconnect for command execution. it abuses …”
T1486Data Encrypted for Impact
86%
“technology, financial services, and healthcare among the hardest hit. - any environment that uses remote access platforms, centralized backup solutions, or hybrid windows / linux infrastructures could be at risk. enterprises are encouraged to limit the use of remote access tools …”
T1068Exploitation for Privilege Escalation
86%
“evasion the attackers deployed sophisticated anti - analysis tools to evade security solutions. further probe confirmed that both 2stx. exe and or2. exe utilize the eskle. sys driver for anti - av capabilities through a byovd attack : - c : \ users \ administrator. < redacted > \…”
T1219Remote Access Tools
79%
“’ s management service ( srmanager. exe ) to execute the linux ransomware binary directly on windows systems : c : \ program files ( x86 ) \ splashtop \ splashtop remote \ server \ srmanager. exe c : \ users \ < redacted > \ desktop \ mmh _ linux _ x86 - 64 to execute the linux b…”
T1486Data Encrypted for Impact
79%
“##l - c : \ programdata \ veeam \ backup \ oraclelogbackup \ socks64. dll the distributed nature of this socks proxy deployment provided the attackers with redundant communication channels, ensuring persistent c & c capabilities even if individual proxies were discovered and remo…”
T1486Data Encrypted for Impact
76%
“path exclusions. the configuration showed extensive targeting of vmware esxi paths ( / vmfs /, / dev /, / lib64 / ) while excluding critical system directories, demonstrating hypervisor - focused deployment strategies. earlier variants implemented os detection for freebsd, vmkern…”
T1090.001Internal Proxy
72%
“linux infrastructure, expanding their reach beyond windows systems and demonstrating the cross - platform nature of the attack. command and control the threat actors established a c & c infrastructure through the deployment of multiple socks proxy instances, identified as coroxy …”
T1090Proxy
69%
“linux infrastructure, expanding their reach beyond windows systems and demonstrating the cross - platform nature of the attack. command and control the threat actors established a c & c infrastructure through the deployment of multiple socks proxy instances, identified as coroxy …”
T1087.002Domain Account
66%
“exe socks64. dll, rundll c : \ programdata \ veeam \ socks64. dll a backdoor administrative account named “ supportt ” was created to ensure persistent elevated access. this account name was likely chosen to blend in with legitimate support accounts commonly found in enterprise e…”
T1543.003Windows Service
64%
“the driver likely belongs to a game - related package and is commonly used by cheat developers to evade anti - cheat systems ; however, it could also be repurposed by advanced persistent threat actors. the eskle. sys driver forcibly stops programs by creating a handle to the targ…”
T1486Data Encrypted for Impact
64%
“’ s management service ( srmanager. exe ) to execute the linux ransomware binary directly on windows systems : c : \ program files ( x86 ) \ splashtop \ splashtop remote \ server \ srmanager. exe c : \ users \ < redacted > \ desktop \ mmh _ linux _ x86 - 64 to execute the linux b…”
T1059.012Hypervisor CLI
61%
“path exclusions. the configuration showed extensive targeting of vmware esxi paths ( / vmfs /, / dev /, / lib64 / ) while excluding critical system directories, demonstrating hypervisor - focused deployment strategies. earlier variants implemented os detection for freebsd, vmkern…”
T1566.002Spearphishing Link
61%
“monitoring of remote management tools and backup system access. impact and victimology agenda emerged as one of the top ransomware groups in 2025, demonstrating unprecedented operational tempo and global reach. analysis of their data leak site since january reveals a ransomware -…”
T1219Remote Access Tools
60%
“##ration. - c : \ users \ administrator. < redacted > \ desktop \ netscan. exe - c : \ users \ administrator. < redacted > \ documents \ netscan. exe remote management tools were strategically installed through legitimate rmm platforms to blend with normal it operations. atera ne…”
T1564.006Run Virtual Instance
55%
“path exclusions. the configuration showed extensive targeting of vmware esxi paths ( / vmfs /, / dev /, / lib64 / ) while excluding critical system directories, demonstrating hypervisor - focused deployment strategies. earlier variants implemented os detection for freebsd, vmkern…”
T1080Taint Shared Content
48%
“technology, financial services, and healthcare among the hardest hit. - any environment that uses remote access platforms, centralized backup solutions, or hybrid windows / linux infrastructures could be at risk. enterprises are encouraged to limit the use of remote access tools …”
T1204.004Malicious Copy and Paste
46%
“connected to malicious fake captcha pages hosted on cloudflare r2 storage infrastructure. these pages presented convincing replicas of legitimate google captcha verification prompts : - hxxps : / / pub - 959ff112c2eb41ce8f7b24e38c9b4f94 [. ] r2 [. ] dev / google - captcha - conti…”
T1189Drive-by Compromise
45%
“connected to malicious fake captcha pages hosted on cloudflare r2 storage infrastructure. these pages presented convincing replicas of legitimate google captcha verification prompts : - hxxps : / / pub - 959ff112c2eb41ce8f7b24e38c9b4f94 [. ] r2 [. ] dev / google - captcha - conti…”
T1087.001Local Account
45%
“exe socks64. dll, rundll c : \ programdata \ veeam \ socks64. dll a backdoor administrative account named “ supportt ” was created to ensure persistent elevated access. this account name was likely chosen to blend in with legitimate support accounts commonly found in enterprise e…”
T1090.002External Proxy
45%
“linux infrastructure, expanding their reach beyond windows systems and demonstrating the cross - platform nature of the attack. command and control the threat actors established a c & c infrastructure through the deployment of multiple socks proxy instances, identified as coroxy …”
T1080Taint Shared Content
43%
“ransomware deploys linux variant on windows systems through remote management tools and byovd techniques trend vision one intelligence reports ( ioc sweeping ) hunting queries trend vision one search app trend vision one customers can use the search app to match or hunt the malic…”
T1003OS Credential Dumping
39%
“##ration. - c : \ users \ administrator. < redacted > \ desktop \ netscan. exe - c : \ users \ administrator. < redacted > \ documents \ netscan. exe remote management tools were strategically installed through legitimate rmm platforms to blend with normal it operations. atera ne…”
T1574.001DLL
37%
“hlpdrv. sys have been previously documented in akira campaigns for gaining kernel - level access and potentially terminating traditional endpoint detection and response ( edr ) solutions. analysis revealed that msimg32. dll employs a dll sideloading technique, requiring a legitim…”
T1564.006Run Virtual Instance
35%
“configured to monitor linux binaries being executed through wsl, especially when initiated via legitimate remote management tools. the linux ransomware binary possibly provided cross - platform capability, allowing the attackers to impact both windows and linux systems within the…”
T1210Exploitation of Remote Services
33%
“##ovd techniques. these tools are suspected to utilize a different vulnerable driver ( fnarw. sys ), though definitive confirmation remains pending as the driver was unavailable for complete analysis : - c : \ users \ < redacted > \ desktop \ cg6. exe - c : \ users \ < redacted >…”
T1080Taint Shared Content
31%
“agenda ransomware deploys linux variant on windows systems through remote management tools and byovd techniques ransomware agenda ransomware deploys linux variant on windows systems through remote management tools and byovd techniques trend™ research identified a sophisticated ag…”
T1546.015Component Object Model Hijacking
31%
“hlpdrv. sys have been previously documented in akira campaigns for gaining kernel - level access and potentially terminating traditional endpoint detection and response ( edr ) solutions. analysis revealed that msimg32. dll employs a dll sideloading technique, requiring a legitim…”
T1204.004Malicious Copy and Paste
30%
“7 / 231 / means. d we assess that the threat actors likely initiated their attack campaign through a sophisticated social engineering scheme involving these fake captcha pages. the pages appear to have delivered information stealers to the compromised endpoints, which subsequentl…”

Summary

Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises.