Qilin Ransomware Abuses WSL to Run Linux Encryptors in Windows
An Anonymous Coward writes:
Qilin ransomware abuses WSL to run Linux encryptors in Windows
https://archive.ph/lhpiX
The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools.
The ransomware first launched as "Agenda" in August 2022, rebranding to Qilin by September and continuing to operate under that name to this day.
Qilin has become one of the most active ransomware operations, with new research from Trend Micro and Cisco Talos stating that the cybercrime gang has attacked more than 700 victims across 62 countries this year.
Both firms say the group has become one of the most active ransomware threats worldwide, publishing over 40 new victims per month in the second half of 2025.
Both cybersecurity firms report that Qilin affiliates use a mix of legitimate programs and remote management tools to breach networks and steal credentials, including applications such as AnyDesk, ScreenConnect, and Splashtop for remote access, and Cyberduck and WinRAR for data theft.
The threat actors also use common built-in Windows utilities, such as Microsoft Paint (mspaint.exe) and Notepad (notepad.exe), to inspect documents for sensitive data before stealing them.
[...] "After gaining access, the attackers enabled or installed WSL using scripts or command-line tools, then deployed the Linux ransomware payload within that environment. This gave them the ability to execute a Linux-based encryptor directly on a Windows host while avoiding many defenses that are focused on detecting traditional Windows malware."
Read more of this story at SoylentNews.