{"id":503,"date":"2026-04-06T10:45:14","date_gmt":"2026-04-06T10:45:14","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=503"},"modified":"2026-04-06T10:45:14","modified_gmt":"2026-04-06T10:45:14","slug":"qilin-and-warlock-ransomware-use-vulnerable-drivers-to-disable-300-edr-tools","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=503","title":{"rendered":"Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 06, 2026<\/span><\/span><span class=\"p-tags\">Ransomware \/ Endpoint Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgtrUKOrJ2Y_pSYHNcKDjbrBsZa2igYlNorTwmH31JNSjdA7VP84kXj23nmkk7DTqlrCUsfCjNo6xt-niyZeKeCR7VtBzMWW9eNUKzU0WGnpmw2yYjHBdboP2uF2UA8CCsdclyeDlRJcU7DEOD8OrFthlhQX-OkgePmyT__ZDQA4IXgRYbnNtp21MoleCTU\/s1700-e365\/lock-ransomware.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Threat actors associated\u00a0with Qilin\u00a0and Warlock ransomware operations\u00a0have been\u00a0observed using the bring your own vulnerable driver\u00a0(BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend\u00a0Micro.<\/p>\n<p>Qilin attacks analyzed by Talos\u00a0have been\u00a0found to deploy a malicious DLL named \u00abmsimg32.dll,\u00bb which initiates a multi-stage infection chain to disable endpoint detection and response (EDR) solutions. The\u00a0DLL, launched via DLL side-loading, is capable of terminating more than 300 EDR drivers from almost every security vendor in the\u00a0market.<\/p>\n<p>\u00abThe first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component,\u00bb Talos researchers Takahiro Takeda and Holger Unterbrink <a href=\"https:\/\/blog.talosintelligence.com\/qilin-edr-killer\/\">said<\/a>. \u00abThis secondary payload is embedded within the loader in an encrypted\u00a0form.\u00bb<\/p>\n<p>The DLL\u00a0loader implements an\u00a0array of techniques to evade detection. It\u00a0neutralizes user-mode hooks, suppresses Event Tracing for Windows (ETW) event logs, and takes steps to conceal control flow and API invocation\u00a0patterns. As a result,\u00a0it allows the main EDR killer payload\u00a0to be\u00a0decrypted, loaded, and executed entirely in\u00a0memory while entirely flying under the\u00a0radar.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Once launched, the malware makes use of two drivers\u00a0&#8211;<\/p>\n<ul>\n<li>rwdrv.sys, a renamed version of \u00abThrottleStop.sys\u00bb that&#8217;s used to gain access to the system&#8217;s physical memory and act as a kernel-mode hardware access layer.<\/li>\n<li>hlpdrv.sys, to terminate processes associated with over 300 different EDR drivers belonging to various security solutions.<\/li>\n<\/ul>\n<p>It&#8217;s worth noting that both drivers have been used as part of BYOVD attacks carried out in conjunction\u00a0with Akira\u00a0and Makop ransomware intrusions.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>\u00abPrior\u00a0to loading the second driver, the EDR killer component unregisters monitoring callbacks established by the EDR, ensuring that process termination can proceed without interference,\u00bb Talos said. \u00abIt demonstrates the sophisticated tricks the malware is employing to circumvent or completely disable modern EDR protection features on compromised\u00a0systems.\u00bb<\/p>\n<p>According to statistics compiled\u00a0by <a href=\"https:\/\/www.cyfirma.com\/research\/tracking-ransomware-jan-2026\/\">CYFIRMA<\/a>\u00a0and <a href=\"https:\/\/www.cynet.com\/blog\/qilin-green-blood-0apt-ransomware-groups-to-watch-march-2026\/\">Cynet<\/a>, Qilin\u00a0has <a href=\"https:\/\/blog.talosintelligence.com\/ransomware-in-2025-blending-in-is-the-strategy\/\">emerged<\/a> as the most active ransomware group in recent months, claiming hundreds of victims. The\u00a0group\u00a0has been\u00a0linked to 22 out of 134 ransomware incidents that were reported in Japan in 2025, representing 16.4% of all\u00a0attacks.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj-G9T7oKmDVk_OCp7UjRDNUMcVCIIE-5hhpBsbE6ExXVl5WQNNT2c_TLAKaAK5cif1q8w58uBc-VuYmexWWYrcLnlM__0P5u8Wsopcg1tnIgfVOY7oOMzwUr8ttFXPArBUYxX22ugl5qAiOKsNzTqwPbVLkindO-2j-UP57d3ylUVh5MQO27NkXKCyAuHN\/s1700-e365\/talos.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj-G9T7oKmDVk_OCp7UjRDNUMcVCIIE-5hhpBsbE6ExXVl5WQNNT2c_TLAKaAK5cif1q8w58uBc-VuYmexWWYrcLnlM__0P5u8Wsopcg1tnIgfVOY7oOMzwUr8ttFXPArBUYxX22ugl5qAiOKsNzTqwPbVLkindO-2j-UP57d3ylUVh5MQO27NkXKCyAuHN\/s1700-e365\/talos.jpg\" alt=\"\" border=\"0\" data-original-height=\"590\" data-original-width=\"1000\"\/><\/a><\/div>\n<p>\u00abQilin primarily relies on stolen credentials to gain initial access,\u00bb\u00a0Talos <a href=\"https:\/\/blog.talosintelligence.com\/an-overview-of-ransomware-threats-in-japan-in-2025-and-early-detection-insights-from-qilin-cases\/\">said<\/a>. \u00abAfter successfully breaching a target environment, the group places considerable emphasis on post-compromise activities, allowing\u00a0it to methodically expand its control and maximize\u00a0impact.\u00bb<\/p>\n<p>The\u00a0cybersecurity vendor also noted that ransomware execution occurred on average roughly six days after the initial compromise, highlighting the need for organizations to detect malicious activity at the earliest possible stage and to prevent the deployment of ransomware.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiCYR3RFB_n5fGH99dW-begvmy-YET_Kxz3EdTkFIpO3ORgOxMi6g_7C2LKHwolltluGw7jZpmO6HPQ8VuD9U5z8-MITHHk_8G8v_uGakfjKPmuYN_B6tJqdmSp_bmYpaCpMt_WuXmQH6uMxnoUClPwykfoJDpiMNBdA2CewDoXvmlMQnF_qRxEwmSDcIrq\/s1700-e365\/ransomware.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiCYR3RFB_n5fGH99dW-begvmy-YET_Kxz3EdTkFIpO3ORgOxMi6g_7C2LKHwolltluGw7jZpmO6HPQ8VuD9U5z8-MITHHk_8G8v_uGakfjKPmuYN_B6tJqdmSp_bmYpaCpMt_WuXmQH6uMxnoUClPwykfoJDpiMNBdA2CewDoXvmlMQnF_qRxEwmSDcIrq\/s1700-e365\/ransomware.jpg\" alt=\"\" border=\"0\" data-original-height=\"897\" data-original-width=\"1000\"\/><\/a><\/div>\n<p>The\u00a0disclosure comes as the Warlock\u00a0(aka\u00a0Water Manaul) ransomware group continues to exploit unpatched Microsoft SharePoint servers, while updating its toolset for enhanced persistence, lateral movement, and defense\u00a0evasion.This\u00a0includes the use\u00a0of TightVNC for persistent control and a legitimate-but-vulnerable <a href=\"https:\/\/github.com\/BlackSnufkin\/BYOVD\">NSec\u00a0driver<\/a> (\u00abNSecKrnl.sys\u00bb) in a BYOVD attack to terminate security products at the kernel level, replacing the \u00abgoogleApiUtil64.sys\u00bb driver used in prior campaigns.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Also\u00a0observed during the course of the Warlock attack in January 2026 were the following tools\u00a0&#8211;<\/p>\n<ul>\n<li><a href=\"https:\/\/www.silverfort.com\/glossary\/psexec\/\">PsExec<\/a>, for lateral movement.<\/li>\n<li>RDP Patcher, for facilitating concurrent RDP sessions.<\/li>\n<li>Velociraptor, for command-and-control (C2).<\/li>\n<li>Visual Studio Code and Cloudflare Tunnel, for tunneling C2 communications.<\/li>\n<li><a href=\"https:\/\/github.com\/P001water\/yuze\">Yuze<\/a>, for intranet penetration and establishing a reverse proxy connection to the attacker&#8217;s C2 server across HTTP (port 80), HTTPS (port 443), and DNS (port 53).<\/li>\n<li>Rclone, for data exfiltration.<\/li>\n<\/ul>\n<p>To\u00a0counter BYOVD\u00a0threats, it&#8217;s recommendedto only allow signed drivers from explicitly trusted publishers, monitor driver installation events, and maintain a rigorous patch management schedule for updating security software, specifically those with driver-based components\u00a0that could be\u00a0exploited.\u00a0<\/p>\n<p>\u00abWarlock&#8217;s reliance on vulnerable drivers to disable security controls requires a multilayered defense focused on kernel integrity,\u00bb Trend\u00a0Micro <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/dissecting-a-warlock-attack.html\">said<\/a>. \u00abThus, organizations must upgrade from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 06, 2026Ransomware \/ Endpoint Security Threat actors associated\u00a0with Qilin\u00a0and Warlock ransomware operations\u00a0have been\u00a0observed using the bring your own vulnerable driver\u00a0(BYOVD) technique to silence security tools running on compromised&hellip;<\/p>\n","protected":false},"author":1,"featured_media":504,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[772,771,632,1085,93,261,770,1086],"class_list":["post-503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-disable","tag-drivers","tag-edr","tag-qilin","tag-ransomware","tag-tools","tag-vulnerable","tag-warlock"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=503"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/503\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/504"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}