The Reveal Platform
Intel Name: Agenda ransomware deploys linux variant on windows systems through remote management tools and byovd techniques
Date of Scan: November 13, 2025
Impact: High
Summary: The Agenda ransomware group (Qilin) has been observed deploying Linux-based binaries on Windows hosts using legitimate remote management and file transfer tools. This cross-platform technique evades traditional Windows-focused detections, including many EDR solutions. It enables stealthy operations, disabling recovery through stolen backup credentials and BYOVD-based defense evasion. Since January 2025, Agenda has impacted over 700 victims across 62 countries, mainly in high-value sectors. The U.S., France, Canada, and the U.K. have seen the most incidents, affecting manufacturing, tech, finance, and healthcare. Organizations using remote access or hybrid Windows/Linux setups are urged to restrict access and monitor anomalies.
