Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script

This blog entry discusses the Agenda ransomware group’s use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.


Since its discovery in 2022, the Agenda Ransomware group  (also known as Qilin) has been active and in development. Agenda, which Trend Micro tracks as Water Galura, continues infecting victims globally with the US, Argentina, and Australia, and Thailand being among its top targets (based on the threat actor’s leak site data). Meanwhile the Agenda ransomware was used to target several industries, such as finance and law.

The distribution by country of Agenda’s victims (March 2024)

Figure 1. The distribution by country of Agenda’s victims (March 2024)
The distribution by industry of Agenda’s victim organizations (March 2024)

Figure 2. The distribution by industry of Agenda’s victim organizations (March 2024)

Furthermore, based on Trend threat intelligence data, Agenda ransomware detections increased beginning December 2023, in contrast to the number of detections in November, which shows that its operators are either becoming more active, or are reaching a greater number of targets.

We recently encountered updated versions of the ransomware, specifically for its Rust variant. Based on what we’ve observed, Agenda ransomware group uses Remote Monitoring and Management (RMM) tools, as well as Cobalt Strike for deployment of the ransomware binary. As for the Agenda ransomware executable, it can also propagate via PsExec and SecureShell, while also making use of different vulnerable SYS drivers for defense evasion.   

Agenda ransomware infection chain based on recent observations

Figure 3. Agenda ransomware infection chain based on recent observations


T1059.003 Command and Scripting Interpreter
The most recent version of the Agenda ransomware contains multiple command-line arguments. The table below shows a comparison of the arguments we encountered last July 2023 compared to the version we found in February 2024. Commands in bold text are changes from previous versions.

Agenda Rust 2023

Agenda Rust February 2024




Allows for providing IP addresses



Password to proceed to the landing page



Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned



Propagate to remote machines via PsExec



Restart in safe mode



Debug mode



Time delay before execution



Exclude specified directory for encryption



no process termination



no service termination



no domain encryption



no network encryption



disable sandbox detection



no escalating privileges



Impersonate tokens



no local encryption



no extension filter 



no file filter 



no directory filter 



no terminating VM machines



disables VM clusters



no extension appended



no wallpaper modification



no ransom note dropping



don’t delete directories



no deleting itself





print ransom note



delay printing for n seconds





propagate in vCenter and ESXi





escalated privileges



specify SID



Executed to spread and execute the sample

Table 1. Agenda Rust command-line Arguments

Lateral Movement

T1021.004 Remote Services – SSH

When executed with the command-line –spread-vcenter, Agenda will use a custom PowerShell script embedded in the binary to propagate across VMWare vCenter and ESXi servers. This can potentially impact the virtual machines and even the whole virtual infrastructure, leading to data and financial loss, as well as the disruption of services running on virtual environments.

PowerShell Script used for propagation

Figure 4. PowerShell Script used for propagation

To execute, Agenda requires users to input their credentials in the target vCenter or ESXi host, and specify the path of the ESXi binary to propagate. Since this is executed in an interactive shell, this may indicate that the threat actors are the ones who will input these credentials into the machine upon deployment.

Console for inputting vCenter or ESXi credentials

Figure 5. Console for inputting vCenter or ESXi credentials

The PowerShell script is executed in-memory as a memory stream on a running PowerShell process, making its execution fileless (since the script will not be present in the machine).

Writing the PowerShell script in memory

Figure 6. Writing the PowerShell script in memory

Once loaded, the script first checks if its dependencies are installed:

Commands for checking required modules

Figure 7. Commands for checking required modules

Afterwards, it connects to the host names specified by the attacker and changes the root password for all ESXi hosts. The new password will be the one required by Agenda for execution. This effectively prevents victims from accessing the compromised host even after encryption is done.

Changing ESXi host passwords

Figure 8. Changing ESXi host passwords

SSH would then be enabled for file transfer.

Enabling SSH in ESXi

Figure 9. Enabling SSH in ESXi

Once SSH is enabled, it would proceed with creating an SSH session that will be used to upload the ESXi binary:

Creating an SSH session.

Figure 10. Creating an SSH session.

After a successful upload, the payload will be executed on the target host, effectively compromising the system.

Uploading and executing the ESXi binary

Figure 11. Uploading and executing the ESXi binary

T1570 Lateral Tool Transfer

Agenda has also changed its propagation command-line to –spread, making it more evident. To do this, PsExec is dropped in the following path:

%User Temp%{random}.exe

Next, it will execute the PsExec file using the following command:

“cmd” /C %User Temp%{random}.exe -accepteula -c -f -h -d “{Malware File Path}” –password {Password required}–spread {host name} –spread-process


T1486 Data Encrypted for Impact

Agenda also added a feature to print ransom notes on connected printers. It copies the ransom note inl %User Temp%{Generated file name}, and executes the following commands:

 “powershell” -Command “Get-Printer | Format-List Name,DriverName – used to get printer drivers.

“powershell” -Command ” Timeout /T ‘0’ ; Get-Content -Path ‘%User Temp%{Generated file name}’ | Out-Printer -Name ‘{Printer Name}’ “

The latter command is used to print the ransom note on a specified printer.

Printing the Ransom Note

Printing the Ransom Note

Figure 12. Printing the Ransom Note

Defense Evasion

T1480 Execution Guardrails

The latest version of Agenda can now terminate VMclusters (a group of Virtual Machines/ESXi hosts configured to share resources). It does so by executing the following commands:

·       PowerShell -Command “Stop-Cluster -Force”

T1211 Exploitation for Defense Evasion

From our recent encounters with Agenda, we observed malicious actors employing the Bring Your Own Vulnerable Driver (BYOVD) technique to evade detection by security systems. BYOVD is not new and has been abused by multiple threat groups such as the Kasseika ransomware (using a signed Martini.sys driver), the Akira ransomware group, and the AvosLocker ransomware group.

In the Agenda ransomware’s case, we saw that for each infection chain, it appears to be leveraging different vulnerable drivers to disable different security tools.

A SYS driver used by the Agenda ransomware

Figure 13. A SYS driver used by the Agenda ransomware

Some drivers we have observed being leveraged by the Agenda ransomware is YDark, a publicly available tool designed for kernel manipulation, as well as Spyboy’s Terminator tool used to bypass AVs and EDRs (Endpoint Detection and Response). Using different vulnerable drivers for defense evasion highlights how ransomware can adapt, presenting a significant challenge for cybersecurity defenses trying to stop it.              

Conclusion and recommendations

The Agenda ransomware’s ability to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems, therefore organizations should be aware of the group’s activities and implement security measures to protect themselves from these kinds of ransomware, such as:

  • Only granting employees administrative rights and access when necessary. 
  • Performing period scans and ensure that security products are updated regularly.  
  • Regularly backing up data to ensure as a failsafe measure for data loss. 
  • Exercising good email and website safety practices; avoid downloading attachments, clicking on URLs, and downloading applications unless certain of the source’s legitimacy.
  • Conducting regular user education on the dangers of social engineering. 

A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.   

Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage.  

Trend Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.   

Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.   

Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

With additional analysis from Nathaniel Morales, Maristel Policarpio, CJ Arsley Mateo, Don Ladores

Vision One hunting query

The following query lists potentially useful queries for threat hunting within Vision One:

(fullPath:(“C:UsersPublicenc.exe” OR “C:UsersPublicpwndll.dll”) OR malName:*agenda*) OR (objectFilePath: (“C:UsersPublicenc.exe” OR “C:UsersPublicpwndll.dll”))

Indicators of Compromise

The indicators of compromise for this entry can be found here.


  1. Initial Access:
    • Phishing: Spearphishing Attachment (T1566.001): The threat actors use phishing emails with malicious attachments to gain initial access to the target system.
  2. Execution:
    • Command and Scripting Interpreter: PowerShell (T1059.001): The ransomware uses PowerShell scripts for execution and propagation.
    • Native API (T1106): The malware uses native system APIs for various malicious activities.
  3. Persistence:
    • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): The ransomware modifies registry keys for persistence.
  4. Privilege Escalation:
    • Exploitation for Privilege Escalation (T1068): The ransomware may exploit vulnerabilities to escalate privileges.
  5. Defense Evasion:
    • Obfuscated Files or Information (T1027): The ransomware obfuscates its code to evade detection.
    • Process Injection (T1055): The ransomware uses process injection techniques for evasion.
    • Rootkit (T1014): The use of SYS drivers for defense evasion indicates rootkit-like behavior.
  6. Credential Access:
    • Credentials from Password Stores (T1555): The ransomware may attempt to access credentials stored on the system.
  7. Discovery:
    • System Information Discovery (T1082): The ransomware gathers system information for targeting and propagation.
  8. Lateral Movement:
    • Remote Services: SSH (T1021.004): The ransomware uses SSH for lateral movement to VMWare vCenter and ESXi servers.
  9. Collection:
    • Data from Local System (T1005): The ransomware may collect data from the infected system.
  10. Command and Control:
    • Application Layer Protocol (T1071): The ransomware communicates with its command and control servers using application layer protocols.
  11. Impact:
    • Data Encrypted for Impact (T1486): The primary goal of the ransomware is to encrypt data for financial gain.