Threat actors associated with the Qilin and Warlock ransomware operations have been seen using the bring-your-own-vulnerable-driver (BYOVD) method to silence security tools that deal with compromised hosts, according to research from Cisco Talos and Trend Micro.
The Qilin attacks analyzed by Talos were found to use a malicious DLL called “msimg32.dll,” which starts a multi-stage infection chain to block detection and response (EDR) solutions. DLL, which started as a contribution from DLL’s side, can eliminate more than 300 EDR drivers from every security vendor on the market.
“The first step consists of a PE loader that is responsible for preparing the execution environment for the EDR execution component,” Talos researchers Takahiro Takeda and Holger Unterbrink said. “This second load is incorporated into the equipment in a hidden manner.”
The DLL loader uses several methods to avoid detection. It minimizes user hooks, suppresses Windows event logs (ETW), and takes steps to hide control flow and API request methods. As a result, it allows the EDR killer’s main prize to be cleared, loaded, and killed by memory while flying under the radar.
Once launched, the malware uses two drivers –
- rwdrv.sys, a renamed version of “ThrottleStop.sys” used to access the system’s physical memory and act as an access point for kernel resources.
- hlpdrv.sys, to terminate processes related to EDR drivers of more than 300 different security solutions.
It is important to note that both drivers have been used as part of BYOVD attacks carried out in conjunction with the Akira and Makop ransomware attacks.
“Before loading the second driver, the EDR killer component cancels the callbacks established by the EDR, ensuring that the termination process can continue without interruption,” said Talos. “It shows the sophisticated tactics that malware uses to avoid or completely disable modern EDR security features on compromised systems.”
According to statistics compiled by CYFIRMA and Cynet, Qilin has emerged as the most active ransomware group in recent months, claiming hundreds of victims. The group is linked to 22 of the 134 incidents reported in Japan in 2025, representing 16.4% of all attacks.
“Qilin relies heavily on stolen letters to gain initial access,” Talos said. “After successfully breaching the target environment, the team puts more emphasis on post-compromise activities, allowing it to expand its control and increase influence.”
The cybersecurity vendor also noted that ransomware executions occurred on average six days after the first compromise, highlighting the need for organizations to detect malicious activity as soon as possible and prevent ransomware deployment.
The disclosure comes as the Warlock (a.k.a. Water Manaul) sales team continues to use unregistered Microsoft SharePoint servers, while improving its toolkit for enhanced persistence, reverse motion, and security evasion. This includes the use of TightVNC for persistent control and the correct-but-vulnerable NSec driver to attack BsysVK security products to attack NSec products at the kernel level, replacing the driver of “googleApiUtil64.sys” used in previous campaigns.
Also noticed during the Warlock attack in January 2026 were the following devices –
- PsExec, for lateral movement.
- RDP Patcher, for running RDP sessions simultaneously.
- Velociraptor, for command-and-control (C2).
- Visual Studio Code and Cloudflare Tunnel, for running C2 communications.
- Yuze, for penetrating the intranet and establishing a back proxy connection to the attacker’s C2 server through HTTP (port 80), HTTPS (port 443), and DNS (port 53).
- Rclone, for data transfer.
To combat BYOVD threats, it is recommended to only allow signed drivers from clearly trusted publishers, monitor driver installation events, and maintain a robust patch management schedule for updating security software, especially those that contain exploitable driver-based features.
“Warlock’s reliance on vulnerable drivers to disable security controls requires a multi-layered security approach that focuses on kernel integrity,” Trend Micro said. “Therefore, organizations must upgrade from basic end-to-end security to enforcing strict driver governance and real-time monitoring of kernel-level operations.”
#Qilin #Warlock #Ransomware #Vulnerable #Drivers #Block #EDR #Devices