Qilin Ransomware Uses DLL Sideloading to Disable 300+ EDR Drivers
Cisco Talos reported that the Qilin ransomware operation is using a multi-stage infection chain built around a malicious side-loaded msimg32.dll to blind defenses before later-stage payloads run. The attack can begin when a legitimate application such as FoxitPDFReader.exe loads the rogue DLL, which forwards expected API calls to the real Windows library to avoid suspicion while decrypting and executing additional payloads entirely in memory. Researchers said the loader employs layered evasion, including SEH/VEH-based control-flow obfuscation, indirect syscall recovery similar to Halo’s Gate, ETW suppression, anti-debugging checks, and geofencing that avoids systems configured for post-Soviet locales.
In the final stage, the malware deploys an EDR killer that can disable more than 300 endpoint security drivers by abusing two helper drivers, rwdrv.sys and hlpdrv.sys. Talos said the tooling uses physical memory access, kernel object manipulation, termination of protected EDR processes, and removal of kernel callbacks used for monitoring; it also temporarily interferes with Code Integrity checks before restoring the CiValidateImageHeader callback. The campaign shows Qilin—also tracked as Agenda, Gold Feather, and Water Galura—continuing to target the defense stack itself early in execution, giving ransomware operators a better chance of deploying encryption and follow-on payloads without detection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Derp publishes reverse-engineering teardown of Qilin Windows encryptor
Derp analyzed a recovered Rust-based Qilin ransomware binary and disclosed details of its operation, including intermittent encryption using AES-256-CTR or ChaCha20, a 550-byte footer with an RSA-OAEP-wrapped key, embedded spreader and PsExec tooling, and per-build RSA-4096 public keys. The teardown also found the sample's password check was effectively bypassed by an unconditional jump, meaning any non-empty password would be accepted at runtime.
Trend Micro links Warlock BYOVD attacks to SharePoint intrusions
Trend Micro reported that the Warlock ransomware group, also known as Water Manaul, exploited unpatched Microsoft SharePoint servers and used a vulnerable NSec driver in BYOVD attacks to terminate security products at the kernel level. The campaigns also employed tools including TightVNC, PsExec, RDP Patcher, Velociraptor, Visual Studio Code, Cloudflare Tunnel, Yuze, and Rclone for persistence, lateral movement, tunneling, and data exfiltration.
Talos documents Qilin's multi-stage EDR-killer infection chain
Cisco Talos reported that Qilin ransomware attacks used a malicious side-loaded msimg32.dll as the first stage of a multi-stage infection chain. The chain used anti-analysis and evasion techniques and culminated in an EDR-killer payload that could disable more than 300 EDR drivers using the helper drivers rwdrv.sys and hlpdrv.sys.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Qilin: reverse-engineering the Windows build behind 1,000+ victims | Derp
derp.ca
Open sourceQilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
thehackernews.com
Open sourceQilin Ransomware Uses Malicious DLL to Kill Almost Every Vendor's EDR Solutions - Cyber Security News
cybersecuritynews.com
Open sourceQilin EDR killer infection chain
blog.talosintelligence.com
Open sourceQilin EDR killer infection chain - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Qilin (Agenda) Ransomware Deploys Linux Binaries on Windows via Remote Management Tools
The Qilin ransomware group, also known as Agenda, has adopted a sophisticated cross-platform attack strategy by deploying Linux-based ransomware binaries on Windows systems. This technique leverages legitimate remote management and file transfer tools such as Splashtop, WinSCP, AnyDesk, ATERA RMM, ScreenConnect, and MeshCentral to bypass traditional Windows-centric endpoint detection and response (EDR) solutions. Attackers gain initial access through social engineering, including fake CAPTCHA pages, and use credential theft to facilitate lateral movement and privilege escalation. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security defenses and steals backup credentials, particularly from Veeam, to prevent recovery and maximize extortion leverage. Qilin's operations have impacted over 700 victims globally since January 2025, with a focus on sectors such as manufacturing, professional and scientific services, and wholesale trade. The group uses a double-extortion model, exfiltrating sensitive data with tools like Cyberduck before encrypting files and threatening public disclosure. Qilin's affiliates have been observed using a variety of post-exploitation tools, including Mimikatz and custom scripts, to harvest credentials and exfiltrate data. The group's rapid evolution and ability to evade detection highlight the growing sophistication of ransomware-as-a-service (RaaS) operations targeting organizations worldwide.
Mar 21, 2026
Interlock Ransomware Uses BYOVD Anti-Cheat Driver Flaw to Disable EDR
Fortinet/FortiGuard Labs reported that the **Interlock** ransomware group—described as a smaller, non-**RaaS** operation—ran a months-long intrusion campaign primarily targeting the **education sector** in the US and UK. Initial access was observed via **MintLoader**, including “ClickFix” social-engineering lures, followed by post-compromise activity using a JavaScript implant referred to as **NodeSnakeRAT**, lateral movement with valid accounts and living-off-the-land techniques, and broad discovery prior to impact. The operation follows a **double-extortion** pattern, with data exfiltration (including use of `AZcopy`) preceding ransomware deployment, and has been observed impacting both Windows endpoints and **Nutanix** hypervisor environments. A key technical finding is Interlock’s use of a **Bring Your Own Vulnerable Driver (BYOVD)** technique to neutralize endpoint defenses. Researchers identified a custom tool dubbed **“Hotta Killer”** (associated with `polers.dll`) that drops a kernel driver `UpdateCheckerX64.sys`, described as a renamed vulnerable anti-cheat driver (`GameDriverx64.sys`, **CVE-2025-61155**). Because the driver is legitimate and digitally signed, it can pass initial trust checks; once loaded, it is abused for kernel-level process termination to **kill EDR/AV processes**, with reporting noting targeting of **Fortinet** security tooling specifically, enabling subsequent ransomware execution with reduced detection and response capability.
Mar 21, 2026
Qilin Ransomware's Surge and High-Profile Attacks on Global Organizations
The Qilin ransomware group has emerged as one of the most prolific ransomware operations, claiming responsibility for over 500 attacks in the past six months and targeting major organizations worldwide. Notably, Qilin has allegedly stolen 10 GB of data from International Game Technology (IGT), a multinational provider in the gaming and fintech sectors, with over 21,000 files reportedly exfiltrated. The group has also targeted other high-profile victims, including Cornerstone Staffing Solutions, Spark Power, and Habib Bank AG Zurich, and is known to collaborate with other ransomware operations such as DragonForce and LockBit. Qilin, along with Akira and INC, accounted for 65% of ransomware attacks in Q3 2025, with a significant portion of these incidents facilitated by compromised VPN credentials. Ransomware activity has seen a marked increase globally, with leak posts rising by 11% over the previous quarter and a surge in attacks reported in October. Attackers are increasingly exploiting vulnerabilities in VPNs and external services, and the prevalence of zero-day vulnerabilities has also grown, with notable bugs affecting Citrix NetScaler, CrushFTP, and Microsoft SharePoint. Security experts recommend organizations implement multi-factor authentication and strengthen vulnerability management practices to mitigate the escalating ransomware threat landscape.
Mar 21, 2026