Qilin ransomware abuses WSL to run Linux encryptors in Windows

Picus Blue Report 2025

The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools.

The ransomware first launched as “Agenda” in August 2022, rebranding to Qilin by September and continuing to operate under that name to this day.

Qilin has become one of the most active ransomware operations, with newresearch from Trend Micro and Cisco Talos stating that the cybercrime gang has attacked more than 700 victims across 62 countries this year.

Both firms say the group has become one of the most active ransomware threats worldwide, publishing over 40 new victims per month in the second half of 2025.

Both cybersecurity firms report that Qilin affiliates use a mix of legitimate programs and remote management tools to breach networks and steal credentials, including applications such as AnyDesk, ScreenConnect, and Splashtop for remote access, and Cyberduck and WinRAR for data theft.

The threat actors also usecommon built-in Windows utilities, such as Microsoft Paint (mspaint.exe) and Notepad (notepad.exe), to inspect documents for sensitive data before stealing them.

Using vulnerable drivers to disable security tools

Both Trend Micro and Talos also observed Qilin affiliates performing Bring Your Own Vulnerable Driver (BYOVD)attacks to disable security software before launching encryptors.

The attackers deployed signed but vulnerable drivers, such as eskle.sys, to terminate antivirus and EDR processes, and used DLL sideloading to drop additional kernel drivers (rwdrv.sys and hlpdrv.sys) that granted further kernel-level privileges.

Talos observed the attackers using tools such as “dark-kill” and “HRSword” to turn off security software and remove traces of malicious activity.

“Talos observed traces of attempts to disable EDR using multiple methods,” explained Cisco Talos.

“Broadly speaking, we have frequently observed commands that directly execute the EDR’s ‘uninstall.exe’ or attempt to stop services using the sc command. At the same time, attackers have also been observed running open-source tools such asdark-kill and HRSword.”

Linux encryptor launched via WSL

In December 2023, BleepingComputer reported on a new Qilin Linux encryptor with a strong focus on encrypting VMware ESXi virtual machines and servers.

The encryptor’s command-line arguments include options to enable debug mode, perform a dry run without encrypting any files, or customize how virtual machines and their snapshots are encrypted.

Qilin Linux encryptorVirusTotal], meaning they cannot run natively on Windows and require a runtime environment such as the Windows Subsystem for Linux (WSL) to execute.

Further questions to Trend Micro revealed that the threat actors are indeed utilizing the WSL to execute the encryptor.

WSL is a Windows feature that allows you to install and run Linux distributions directly within Windows. Once installed, you can either open a shell for the default, installed distro or use the wsl.exe -e command to run Linux programs within a Windows command prompt.

Trend Micro told BleepingComputer that when threat actors gain access to a device, they enable or install the Windows Subsystem for Linux and then use it to execute the encryptor, thereby evading traditional Windows security software.

“In this case, the threat actors were able to run the Linux encryptor on Windows systems by taking advantage of the Windows Subsystem for Linux (WSL), a built-in feature that allows Linux binaries to execute natively on Windows without requiring a virtual machine,” Trend Micro told BleepingComputer.

“After gaining access, the attackers enabled or installed WSL using scripts or command-line tools, then deployed the Linux ransomware payload within that environment. This gave them the ability to execute a Linux-based encryptor directly on a Windows host while avoiding many defenses that are focused on detecting traditional Windows malware.”

As many Windows EDR products focus on Windows PE behavior, they miss malicious behavior occurring within WSL, allowing malware to bypass detection.

Trend Micro says the technique shows how ransomware operators are adapting to hybrid Windows and Linux environments to maximize reach and evade traditional defenses.


Picus Blue Report 2025

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.