Full Report
Its initial activity in July 2022 was observed to deploy Go-based ransomware that offered affiliates customizable builds for encryption behavior, file targeting, and ransom note personalization. Later that year, it introduced Rust-based variants to improve performance and cross-platform support that included Windows, Linux, and ESXi environments. Its recent campaigns were observed to leverage PowerShell-based tooling for lateral movement and deployment in VMware vCenter and ESXi environments. In 2024 and 2025, the Agenda ransomware saw a significant operational expansion, where affiliates were observed using additional malware loaders such as SmokeLoader and NETXLOADER, along with defense-evasion techniques including “Bring Your Own Vulnerable Driver” (BYOVD). In some incidents, the group deployed Linux ransomware payloads via legitimate remote management tools; this emphasized the group’s flexibility and effectiveness as an industry-agnostic extortion operation.
Analysis Summary
# Tool/Technique: Agenda (aka Qilin)
## Overview
Agenda is a sophisticated Ransomware-as-a-Service (RaaS) operation that emerged in July 2022. It employs a double-extortion model, stealing sensitive data before encrypting files to increase leverage over victims. The group is noted for its high degree of technical flexibility, evolving from Go-based payloads to Rust-based variants to target Windows, Linux, and VMware ESXi environments effectively.
## Technical Details
- **Type:** Malware Family (Ransomware-as-a-Service)
- **Platform:** Windows, Linux, VMware ESXi, and vCenter
- **Capabilities:** File encryption, data exfiltration, lateral movement, defense evasion (BYOVD), and cross-platform compatibility.
- **First Seen:** July 2022
## MITRE ATT&CK Mapping
- **[TA0008 - Lateral Movement]**
- [T1059.001 - PowerShell]
- **[TA0005 - Defense Evasion]**
- [T1068 - Exploitation for Privilege Escalation (BYOVD)]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact]
- [T1490 - Inhibit System Recovery]
- **[TA0002 - Execution]**
- [T1106 - Native API]
- [T1059.001 - PowerShell]
## Functionality
### Core Capabilities
- **Cross-Platform Encryption:** Utilizes Rust-based variants for high-performance encryption across Windows and Linux-based servers (specifically ESXi).
- **Customizable Builds:** Offers affiliates the ability to customize encryption behavior, file extension targeting, and ransom note content.
- **Data Exfiltration:** Employs a dedicated Tor-based leak site to publish stolen data as part of double-extortion tactics.
- **Automated Propagation:** Recent versions use custom PowerShell scripts to spread laterally through VMware vCenter and ESXi environments.
### Advanced Features
- **Bring Your Own Vulnerable Driver (BYOVD):** Leverages legitimate but vulnerable drivers to terminate security processes and bypass EDR/AV solutions.
- **Virtualization Targeting:** Specifically designed modules to shut down Virtual Machines (VMs) on ESXi hosts before encryption to ensure file locks are released.
- **Multi-Loader Integration:** Affiliates use secondary loaders like SmokeLoader and NETXLOADER for initial delivery and persistence.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific hashes not provided in the source text; typically involve Go and Rust compiled binaries)*
- **File Names:** Ransom notes often follow naming conventions defined in the custom affiliate build.
- **Network Indicators:**
- [hXXps]://qilin[.]re (General domain reference)
- Tor-based leak sites (Specific .onion addresses fluctuate)
- **Behavioral Indicators:**
- Unauthorized use of PowerShell to access vCenter APIs.
- Deployment of vulnerable third-party drivers (e.g., RTCore64.sys or similar) to disable security tools.
- Mass stopping of VM services on ESXi hosts via CLI.
## Associated Threat Actors
- **Water Galura:** The primary operator/developer of Agenda/Qilin.
- **Moonstone Sleet:** North Korean state-sponsored actor observed deploying Agenda in 2025.
- **DragonForce & LockBit:** Members of a strategic alliance/cartel formed in late 2025.
- **Former RansomHub Affiliates:** Migrated to Agenda infrastructure after RansomHub disruption.
## Detection Methods
- **Behavioral Detection:** Monitor for "vpxuser" or administrative logins to ESXi via SSH followed by rapid file renaming/encryption commands.
- **System Monitoring:** Watch for the loading of unsigned or known vulnerable drivers (BYOVD) followed immediately by the termination of security service processes.
- **Network Monitoring:** Detection of data staging and large-scale outbound transfers to unrecognized cloud storage or Tor exit nodes.
## Mitigation Strategies
- **Virtualization Hardening:** Restrict SSH access to ESXi hosts and use dedicated, isolated management networks for vCenter.
- **Privilege Management:** Implement the Principle of Least Privilege (PoLP); minimize the use of domain admin accounts for routine maintenance.
- **Driver Signature Enforcement:** Enable Windows Driver Signature Enforcement and utilize EDR policies to block known vulnerable drivers.
- **Immutable Backups:** Maintain offline or immutable backups to ensure recovery without paying the ransom.
## Related Tools/Techniques
- **SmokeLoader / NETXLOADER:** Used as initial entry/delivery vehicles.
- **RansomHub:** Tactical overlap and affiliate migration.
- **Remote Management Tools:** Use of legitimate tools for payload deployment.