Qilin Ransomware Group Deploys Linux Encryptors Through Windows WSL to Evade Detection

Researchers from Trend Micro and Cisco Talos have identified the Qilin ransomware group as the crooks executing Linux encryptors within Windows environments through the Windows Subsystem for Linux (WSL).

This technique enables attackers to bypass many traditional Windows-based security tools, according to an article by Lawrence Abrams in BleepingComputer.

Qilin, which initially emerged as the “Agenda” ransomware in 2022, has evolved into one of the most active ransomware operations globally, targeting over 700 victims in 62 countries as of 2025.

The group’s operations expanded rapidly, leveraging both legitimate and malicious tools to breach networks, disable protections, and exfiltrate data. Affiliates frequently employ remote access software such as AnyDesk and Splashtop, alongside utilities like Cyberduck and WinRAR, to steal information.

To neutralize endpoint defenses, they employ Bring Your Own Vulnerable Driver tactics, deploying signed but insecure drivers, such as eskle.sys, to disable antivirus and endpoint detection tools.

Cisco Talos observed additional use of open-source programs, including “dark-kill” and “HRSword” to terminate or uninstall security software.

Trend Micro reports that Qilin affiliates are transferring ELF-format Linux encryptors onto compromised Windows devices using WinSCP, then executing them via Splashtop within WSL. Because these encryptors require a Linux runtime, WSL provides an ideal environment for stealthy execution. 

Once attackers gain administrative access, they can enable or install WSL and deploy the Linux ransomware payload within that subsystem, and avoid detection from Windows-focused endpoint defenses.

For lawyers advising clients on cybersecurity compliance, this development demonstrates a growing convergence of Windows and Linux threat vectors. Organizations should evaluate whether their incident response and endpoint monitoring protocols adequately cover hybrid environments. They should also ensure that WSL installations are restricted, logged, or disabled where unnecessary, to reduce exposure to similar cross-platform attacks.