[{"data":1,"prerenderedAt":198},["ShallowReactive",2],{"article-slug-qilin-ransomware-deploys-advanced-edr-killer-to-blind-defenses":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":41,"mitre_techniques":42,"mitre_mitigations":62,"d3fend_countermeasures":137,"iocs":146,"cyber_observables":157,"tags":179,"extract_datetime":186,"article_type":187,"impact_scope":188,"pub_date":196,"reading_time_minutes":197,"createdAt":186,"updatedAt":186},"657a66c5-cf9d-4b34-9b18-2856eb0faf0d","qilin-ransomware-deploys-advanced-edr-killer-to-blind-defenses","Qilin Ransomware Blinds Defenses with Advanced EDR Killer, Abusing Vulnerable Drivers","Qilin Ransomware Uses Sophisticated EDR Killer to Disable Over 300 Security Products","The Qilin ransomware group is using a sophisticated, multi-stage attack to neutralize endpoint security solutions before encrypting systems. According to analysis by Cisco Talos, the attack uses DLL side-loading and a \"bring your own vulnerable driver\" (BYOVD) technique to gain kernel-level access. By abusing a legitimately signed driver (`rwdrv.sys`), the malware manipulates kernel memory to unregister the monitoring callbacks of over 300 different EDR products, effectively blinding them. This advanced defense evasion highlights a significant escalation in ransomware tactics.","## Executive Summary\n\nThe **[Qilin](https://malpedia.caad.fkie.fraunhofer.de/actor/qilin)** ransomware-as-a-service (RaaS) operation is deploying a highly advanced, multi-stage infection chain specifically designed to disable Endpoint Detection and Response (EDR) solutions. Research from **[Cisco Talos](https://www.talosintelligence.com/)** details how the attackers use a combination of DLL side-loading, in-memory execution, and the \"bring your own vulnerable driver\" (BYOVD) technique to systematically dismantle security defenses at the kernel level. The malware abuses a legitimately signed but vulnerable driver (`rwdrv.sys`) to gain read/write access to kernel memory, which it then uses to find and unregister the callbacks for over 300 different EDR drivers. This effectively renders the security tools blind and powerless, allowing the ransomware to execute unimpeded. This tactic represents a significant evolution in ransomware tradecraft, focusing on the complete neutralization of the security stack as a standard operational step.\n\n---\n\n## Threat Overview\n\nThe attack demonstrates a deep understanding of Windows internals and EDR product architecture. The primary goal is defense evasion to ensure the successful execution of the final ransomware payload. The operation is notable for its stealth and sophistication, executing almost entirely in memory to avoid detection by traditional file-based antivirus.\n\nThe group, also known as Agenda, Gold Feather, or Water Galura, has a high operational tempo, claiming over 40 victims per month.\n\n## Technical Analysis\n\nThe attack chain is a masterclass in defense evasion.\n\n**Infection Chain:**\n1.  **DLL Side-Loading:** The attack begins when a legitimate, signed application (e.g., `FoxitPDFReader.exe`) is executed from a directory containing a malicious DLL named `msimg32.dll`. The legitimate application loads the malicious DLL instead of the real one from the system directory.\n2.  **In-Memory Execution:** The malicious `msimg32.dll` acts as a loader. It forwards legitimate function calls to the real system DLL to maintain normal application behavior while initiating a four-stage, in-memory loading process for its final payload. This avoids writing malicious files to disk.\n3.  **Evasion Techniques:** The loader employs advanced evasion techniques, including suppressing Event Tracing for Windows (ETW) to blind logging and using Structured Exception Handling (SEH) to obfuscate its own execution flow.\n4.  **Bring Your Own Vulnerable Driver (BYOVD):** The final payload is the EDR killer. It drops and loads a legitimately signed but vulnerable driver, `rwdrv.sys` (a renamed version of `ThrottleStop.sys`). This driver is vulnerable to an issue that allows user-mode applications to gain arbitrary read/write access to kernel memory.\n5.  **Kernel-Level Manipulation:** Using the access granted by `rwdrv.sys`, the malware scans kernel memory to locate the callback routines registered by EDR drivers. These callbacks are what allow EDR products to monitor events like process creation, thread creation, and image loading.\n6.  **Disabling EDR:** The malware systematically unregisters or overwrites the pointers for these callbacks, effectively detaching the EDR product from the kernel. With its eyes and ears gone, the EDR is rendered useless.\n7.  **Ransomware Execution:** With defenses disabled, the malware loads a second driver, `hlpdrv.sys`, to terminate the now-unprotected EDR processes and then proceeds to deploy the Qilin ransomware payload to encrypt the system.\n\n**MITRE ATT&CK TTPs:**\n- [`T1562.001 - Disable or Modify Tools`](https://attack.mitre.org/techniques/T1562/001/): The primary goal of the EDR killer payload.\n- [`T1574.002 - DLL Side-Loading`](https://attack.mitre.org/techniques/T1574/002/): The initial execution vector.\n- [`T1055.001 - Dynamic-link Library Injection`](https://attack.mitre.org/techniques/T1055/001/): The malware uses a multi-stage loader process in memory.\n- [`T1068 - Exploitation for Privilege Escalation`](https://attack.mitre.org/techniques/T1068/): The BYOVD technique is used to escalate privileges from user-mode to kernel-mode.\n- [`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/): The final objective of the Qilin ransomware.\n\n## Impact Assessment\n\nThe use of such a sophisticated EDR killer significantly increases the probability of a successful ransomware attack. Organizations that rely solely on their EDR solution for protection are left completely vulnerable. A successful Qilin attack leads to widespread data encryption, operational downtime, and financial losses from recovery efforts and potential ransom payments. The technical sophistication required to reverse-engineer and defeat this attack means that recovery can be complex and costly. This tactic effectively resets the balance of power between attackers and defenders, forcing security vendors to develop new methods of tamper protection for their kernel-level components.\n\n## IOCs — Directly from Articles\n\n| Type | Value | Description |\n| :--- | :--- | :--- |\n| File Name | `msimg32.dll` | Malicious loader DLL used in side-loading attack |\n| File Name | `rwdrv.sys` | Renamed, vulnerable, signed driver (ThrottleStop.sys) used for kernel access |\n| File Name | `hlpdrv.sys` | Second driver used to terminate EDR processes |\n\n## Cyber Observables — Hunting Hints\n\nSecurity teams should hunt for the following indicators of a Qilin attack:\n\n| Type | Value | Description | Context |\n| :--- | :--- | :--- | :--- |\n| File Name | `rwdrv.sys` or `ThrottleStop.sys` | The presence of this driver, especially if recently created or loaded by an unusual process, is highly suspicious. | EDR, Sysmon Event ID 6 (Driver Loaded). |\n| Process Name | `FoxitPDFReader.exe` (or other legitimate apps) | Look for legitimate applications spawning unusual child processes or making suspicious network connections. | EDR process tree analysis. |\n| Registry Key | `HKLM\\SYSTEM\\CurrentControlSet\\Services\\rwdrv` | Creation of a new service to load the vulnerable driver. | Registry monitoring, Sysmon Event ID 12/13. |\n| Log Source | EDR/AV Logs | Alerts indicating that the EDR/AV service has stopped unexpectedly or that tamper protection has been triggered. | Security tool health monitoring. |\n\n## Detection & Response\n\n**Detection:**\n1.  **Driver Monitoring:** Monitor for the loading of any new or non-standard drivers. Use a driver blocklist to prevent known vulnerable drivers like `rwdrv.sys` from being loaded.\n2.  **Tamper Protection:** Ensure that the tamper protection features of your EDR solution are enabled and configured to the highest level.\n3.  **Behavioral Detections:** While the EDR may be blinded, other security tools (network, identity) may still detect downstream activity. Look for a sudden loss of telemetry from an endpoint as a key indicator of compromise.\n\n**Response:**\n1.  **Isolate:** If an endpoint suddenly stops reporting to the EDR console, immediately isolate it from the network as a precaution.\n2.  **Preserve and Analyze:** Do not simply re-image the machine. Preserve a forensic image to analyze how the EDR was bypassed. This is critical intelligence for improving defenses.\n\n## Mitigation\n\n1.  **Driver Block-listing:** Use technologies like Windows Defender Application Control (WDAC) to create policies that block known vulnerable drivers from being loaded into the kernel.\n2.  **Attack Surface Reduction (ASR):** Implement ASR rules to block legitimate applications from being abused in DLL side-loading attacks.\n3.  **Kernel-Level Security:** Enable virtualization-based security features like Hypervisor-Protected Code Integrity (HVCI) which can make it more difficult for attackers to load malicious drivers or modify kernel memory.","🔥 Qilin ransomware deploys a sophisticated EDR killer, using a vulnerable signed driver (BYOVD) to disable over 300 security products at the kernel level. A major escalation in defense evasion tactics. #Ransomware #Qilin #EDR #CyberSecurity #BYOVD","The Qilin ransomware group is using a sophisticated, multi-stage attack with a \"bring your own vulnerable driver\" (BYOVD) technique to disable hundreds of EDR solutions before encryption.",[13,14,15],"Ransomware","Malware","Cyberattack","critical",[18,22,26],{"name":19,"type":20,"url":21},"Qilin","threat_actor","https://malpedia.caad.fkie.fraunhofer.de/actor/qilin",{"name":23,"type":24,"url":25},"Cisco Talos","security_organization","https://www.talosintelligence.com/",{"name":27,"type":28},"Qilin Ransomware","malware",[],[31,36],{"url":32,"title":33,"date":34,"friendly_name":23,"website":35},"https://blog.talosintelligence.com/qilin-edr-killer-infection-chain/","Qilin EDR killer infection chain","2026-04-02","talosintelligence.com",{"url":37,"title":38,"date":34,"friendly_name":39,"website":40},"https://cybersecuritynews.co.uk/qilin-ransomware-uses-malicious-dll-to-kill-almost-every-vendors-edr-solutions/","Qilin Ransomware Uses Malicious DLL to Kill Almost Every Vendor’s EDR Solutions","Cybersecurity News","cybersecuritynews.co.uk",[],[43,47,51,54,58],{"id":44,"name":45,"tactic":46},"T1562.001","Disable or Modify Tools","Defense Evasion",{"id":48,"name":49,"tactic":50},"T1574.002","DLL Side-Loading","Persistence",{"id":52,"name":53,"tactic":46},"T1055.001","Dynamic-link Library Injection",{"id":55,"name":56,"tactic":57},"T1548.002","Bypass User Account Control","Privilege Escalation",{"id":59,"name":60,"tactic":61},"T1486","Data Encrypted for Impact","Impact",[63,85,100],{"id":64,"name":65,"d3fend_techniques":66,"description":83,"domain":84},"M1038","Execution Prevention",[67,71,75,79],{"id":68,"name":69,"url":70},"D3-DLIC","Driver Load Integrity Checking","https://d3fend.mitre.org/technique/d3f:DriverLoadIntegrityChecking",{"id":72,"name":73,"url":74},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting",{"id":76,"name":77,"url":78},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting",{"id":80,"name":81,"url":82},"D3-PSEP","Process Segment Execution Prevention","https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention","Use application control solutions like WDAC to block known vulnerable drivers from being loaded.","enterprise",{"id":86,"name":87,"d3fend_techniques":88,"description":99,"domain":84},"M1025","Privileged Process Integrity",[89,93,94,95],{"id":90,"name":91,"url":92},"D3-BA","Bootloader Authentication","https://d3fend.mitre.org/technique/d3f:BootloaderAuthentication",{"id":68,"name":69,"url":70},{"id":80,"name":81,"url":82},{"id":96,"name":97,"url":98},"D3-SCF","System Call Filtering","https://d3fend.mitre.org/technique/d3f:SystemCallFiltering","Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) to protect the kernel from manipulation.",{"id":101,"name":102,"d3fend_techniques":103,"description":136,"domain":84},"M1040","Behavior Prevention on Endpoint",[104,108,112,116,120,124,128,132],{"id":105,"name":106,"url":107},"D3-ANET","Authentication Event Thresholding","https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding",{"id":109,"name":110,"url":111},"D3-AZET","Authorization Event Thresholding","https://d3fend.mitre.org/technique/d3f:AuthorizationEventThresholding",{"id":113,"name":114,"url":115},"D3-JFAPA","Job Function Access Pattern Analysis","https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis",{"id":117,"name":118,"url":119},"D3-RAPA","Resource Access Pattern Analysis","https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis",{"id":121,"name":122,"url":123},"D3-SDA","Session Duration Analysis","https://d3fend.mitre.org/technique/d3f:SessionDurationAnalysis",{"id":125,"name":126,"url":127},"D3-UDTA","User Data Transfer Analysis","https://d3fend.mitre.org/technique/d3f:UserDataTransferAnalysis",{"id":129,"name":130,"url":131},"D3-UGLPA","User Geolocation Logon Pattern Analysis","https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis",{"id":133,"name":134,"url":135},"D3-WSAA","Web Session Activity Analysis","https://d3fend.mitre.org/technique/d3f:WebSessionActivityAnalysis","Ensure EDR tamper protection is enabled and monitor for alerts indicating the security service has been stopped or modified.",[138,140],{"technique_id":68,"technique_name":69,"url":70,"recommendation":139,"mitre_mitigation_id":86},"To directly counter the Qilin ransomware's BYOVD technique, organizations must implement robust driver load integrity checking. The most effective way to do this on Windows systems is through Windows Defender Application Control (WDAC) and Hypervisor-Protected Code Integrity (HVCI). A WDAC policy can be created to explicitly block known vulnerable drivers like `rwdrv.sys` (and its original `ThrottleStop.sys`) by hash or signing certificate. This prevents the driver from ever being loaded into the kernel, stopping the attack chain before it can gain kernel memory access. For a more advanced posture, HVCI uses virtualization-based security (VBS) to protect the kernel from modification, making it significantly harder for even a malicious driver to manipulate kernel structures like EDR callbacks. Implementing a strict WDAC policy that only allows known, good drivers to load is the ultimate defense against this entire class of attack.",{"technique_id":141,"technique_name":142,"url":143,"recommendation":144,"mitre_mitigation_id":145},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","For detecting the initial stages of the Qilin attack, detailed process analysis is key. Security teams should configure EDR and SIEM solutions to monitor for the specific behaviors of the DLL side-loading technique. Create detection rules that look for a legitimate, signed executable (like `FoxitPDFReader.exe`) loading a DLL (like `msimg32.dll`) from a non-standard path (e.g., the same directory as the executable, instead of `System32`). Further, analyze the process tree: is this legitimate application suddenly creating a new service, writing a `.sys` file to disk, or attempting to load a driver? This chain of events is highly anomalous and a strong indicator of compromise. Even if the EDR is later blinded, detecting this initial activity provides a crucial window for incident responders to isolate the host and prevent the final ransomware payload from executing.","M1049",[147,151,154],{"type":148,"value":149,"description":150},"file_name","msimg32.dll","Malicious loader DLL used in side-loading attack",{"type":148,"value":152,"description":153},"rwdrv.sys","Renamed, vulnerable, signed driver (ThrottleStop.sys) used for kernel access",{"type":148,"value":155,"description":156},"hlpdrv.sys","Second driver used to terminate EDR processes",[158,164,170,175],{"type":159,"value":160,"description":161,"context":162,"confidence":163},"log_source","Sysmon Event ID 6","Monitor for driver loading events, specifically for `rwdrv.sys` or `ThrottleStop.sys`. The hash and signature can be used for verification.","Windows Event Logs, SIEM.","high",{"type":165,"value":166,"description":167,"context":168,"confidence":169},"process_name","FoxitPDFReader.exe","Look for legitimate applications like Foxit Reader loading `msimg32.dll` from a non-system directory or spawning unusual child processes.","EDR process tree analysis.","medium",{"type":171,"value":172,"description":173,"context":174,"confidence":163},"registry_key","HKLM\\SYSTEM\\CurrentControlSet\\Services\\rwdrv","Creation of a new service to load the vulnerable `rwdrv.sys` driver is a strong indicator of compromise.","Registry monitoring, Sysmon Event ID 12/13.",{"type":159,"value":176,"description":177,"context":178,"confidence":163},"EDR/AV Logs","An alert indicating that the EDR/AV service has stopped unexpectedly or that tamper protection has been triggered should be treated as a critical incident.","Security tool health monitoring dashboard, SIEM.",[19,180,181,182,183,184,23,185],"ransomware","EDR","BYOVD","kernel","defense evasion","DLL side-loading","2026-04-21T15:00:00.000Z","Analysis",{"geographic_scope":189,"industries_affected":190,"other_affected":194},"global",[191,192,193],"Technology","Healthcare","Manufacturing",[195],"Users of over 300 different EDR products","2026-04-21",6,1776792986458]