Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Summary

Threat actors associated with Qilin and Warlock ransomware have been observed deploying vulnerable drivers to disable over 300 EDR solutions on compromised hosts. Both groups use bring-your-own-vulnerable-driver (BYOVD) techniques with malicious DLLs and kernel-mode drivers to evade detection and terminate security processes. Qilin has emerged as the most active ransomware group in recent months, with attacks averaging six days between initial compromise and ransomware execution.

Full text

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools Ravie LakshmananApr 06, 2026Ransomware / Endpoint Security Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro. Qilin attacks analyzed by Talos have been found to deploy a malicious DLL named "msimg32.dll," which initiates a multi-stage infection chain to disable endpoint detection and response (EDR) solutions. The DLL, launched via DLL side-loading, is capable of terminating more than 300 EDR drivers from almost every security vendor in the market. "The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component," Talos researchers Takahiro Takeda and Holger Unterbrink said. "This secondary payload is embedded within the loader in an encrypted form." The DLL loader implements an array of techniques to evade detection. It neutralizes user-mode hooks, suppresses Event Tracing for Windows (ETW) event logs, and takes steps to conceal control flow and API invocation patterns. As a result, it allows the main EDR killer payload to be decrypted, loaded, and executed entirely in memory while entirely flying under the radar. Once launched, the malware makes use of two drivers - rwdrv.sys, a renamed version of "ThrottleStop.sys" that's used to gain access to the system's physical memory and act as a kernel-mode hardware access layer. hlpdrv.sys, to terminate processes associated with over 300 different EDR drivers belonging to various security solutions. It's worth noting that both drivers have been used as part of BYOVD attacks carried out in conjunction with Akira and Makop ransomware intrusions. "Prior to loading the second driver, the EDR killer component unregisters monitoring callbacks established by the EDR, ensuring that process termination can proceed without interference," Talos said. "It demonstrates the sophisticated tricks the malware is employing to circumvent or completely disable modern EDR protection features on compromised systems." According to statistics compiled by CYFIRMA and Cynet, Qilin has emerged as the most active ransomware group in recent months, claiming hundreds of victims. The group has been linked to 22 out of 134 ransomware incidents that were reported in Japan in 2025, representing 16.4% of all attacks. "Qilin primarily relies on stolen credentials to gain initial access," Talos said. "After successfully breaching a target environment, the group places considerable emphasis on post-compromise activities, allowing it to methodically expand its control and maximize impact." The cybersecurity vendor also noted that ransomware execution occurred on average roughly six days after the initial compromise, highlighting the need for organizations to detect malicious activity at the earliest possible stage and to prevent the deployment of ransomware. The disclosure comes as the Warlock (aka Water Manaul) ransomware group continues to exploit unpatched Microsoft SharePoint servers, while updating its toolset for enhanced persistence, lateral movement, and defense evasion.This includes the use of TightVNC for persistent control and a legitimate-but-vulnerable NSec driver ("NSecKrnl.sys") in a BYOVD attack to terminate security products at the kernel level, replacing the "googleApiUtil64.sys" driver used in prior campaigns. Also observed during the course of the Warlock attack in January 2026 were the following tools - PsExec, for lateral movement. RDP Patcher, for facilitating concurrent RDP sessions. Velociraptor, for command-and-control (C2). Visual Studio Code and Cloudflare Tunnel, for tunneling C2 communications. Yuze, for intranet penetration and establishing a reverse proxy connection to the attacker's C2 server across HTTP (port 80), HTTPS (port 443), and DNS (port 53). Rclone, for data exfiltration. To counter BYOVD threats, it's recommendedto only allow signed drivers from explicitly trusted publishers, monitor driver installation events, and maintain a rigorous patch management schedule for updating security software, specifically those with driver-based components that could be exploited. "Warlock's reliance on vulnerable drivers to disable security controls requires a multilayered defense focused on kernel integrity," Trend Micro said. "Thus, organizations must upgrade from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, endpoint security, Incident response, Kernel Security, Microsoft SharePoint, network intrusion, ransomware, Threat Intelligence Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• malware — msimg32.dll
• malware — rwdrv.sys
• malware — hlpdrv.sys
• malware — NSecKrnl.sys
• malware — googleApiUtil64.sys

Entities