VERY IMPORTANT

Agenda ransomware group, also known as Qilin, has been deploying a Linux-based ransomware binary on Windows hosts using legitimate remote management and file transfer tools. This cross-platform execution technique bypasses Windows-centric detections and security solutions. The attack chain includes the use of BYOVD for defense evasion, deployment of multiple SOCKS proxy instances for C&C traffic obfuscation, and targeted theft of backup credentials. Agenda has affected 591 victims across 58 countries since January 2025, primarily targeting organizations in developed markets and high-value industries. The group's sophisticated approach combines legitimate tools, cross-platform execution, and strategic targeting of backup infrastructure, making detection significantly more challenging for organizations.