Overview
- Trend Micro reports affiliates executed a Linux ransomware binary on Windows hosts via Splashtop SRManager after transferring it with WinSCP.
- Attackers loaded the signed but vulnerable eskle.sys driver to disable security tools, paired with sideloaded components and additional kernel drivers.
- The operation abused Atera-installed AnyDesk and ScreenConnect for persistence and command execution, then used COROXY SOCKS proxies to mask command-and-control traffic.
- Investigators say the actors extracted Veeam credentials from backup databases to compromise disaster recovery before encryption and added Nutanix AHV detection to widen targeting.
- Cisco Talos tracks sustained activity with dozens of monthly victims in 2025 across multiple sectors and countries, with initial access via leaked credentials or Cloudflare-hosted phishing lures.