According to Cisco Talos and Trend Micro research, threat actors associated with Qilin and Warlock ransomware operations have been observed using Bring Your Own Vulnerability Driver (BYOVD) techniques to silence security tools running on compromised hosts.
The Qilin attack analyzed by Talos deployed a malicious DLL named ‘msimg32.dll’ that started a multi-step infection chain and disabled endpoint detection and response (EDR) solutions. This DLL, launched via DLL sideloading, can terminate over 300 EDR drivers from almost every security vendor on the market.
“The first stage consists of the PE loader, which is responsible for preparing the execution environment for the EDR killer component,” said Talos researchers Takahiro Takeda and Holger Unterbrink. “This secondary payload is embedded within the loader in encrypted form.”
DLL loaders implement a series of techniques to evade detection. Disable user-mode hooks, suppress Event Tracing for Windows (ETW) event logs, and take steps to hide control flow and API call patterns. As a result, the main EDR killer payload can be decrypted, loaded, and executed entirely in memory while flying completely under the radar.
Once launched, the malware utilizes two drivers.
rwdrv.sys is a renamed version of “ThrottleStop.sys” that is used to access the system’s physical memory and act as a kernel-mode hardware access layer. hlpdrv.sys terminates processes related to over 300 different EDR drivers belonging to various security solutions.
It is worth noting that both drivers were used as part of BYOVD attacks carried out in conjunction with the Akira and Makop ransomware intrusions.
“Before loading the second driver, the EDR killer component unregisters the monitoring callbacks established by EDR, allowing process termination to proceed without interference,” Talos said. “This demonstrates the sophisticated tricks the malware is using to circumvent or completely disable modern EDR protections on compromised systems.”
Qilin has emerged as the most active ransomware group in recent months, claiming hundreds of victims, according to statistics compiled by CYFIRMA and Cynet. The group was linked to 22 of the 134 ransomware incidents reported in Japan in 2025, representing 16.4% of all attacks.
“Qilin primarily relies on stolen credentials to gain initial access,” Talos said. “After successfully infiltrating a target environment, the group focuses on post-compromise activities to systematically expand control and maximize impact.”
The cybersecurity vendor also noted that ransomware execution occurred on average about six days after the initial breach, highlighting the need for organizations to detect malicious activity as early as possible and prevent ransomware deployment.
This disclosure comes as the Warlock (also known as Water Manaul) ransomware group continues to exploit unpatched Microsoft SharePoint servers while updating its toolset to improve persistence, lateral movement, and defense evasion. This includes the use of TightVNC for persistent control and the use of a legitimate but vulnerable NSec driver (‘NSecKrnl.sys’) in BYOVD attacks to terminate and replace security products at the kernel level. ‘googleApiUtil64.sys’ driver used in previous campaign.
The following tools were also observed during the January 2026 Warlock attack:
PsExec, for lateral movement. RDP Patcher, which facilitates concurrent RDP sessions. Velociraptor, command and control (C2). Visual Studio Code and Cloudflare tunnels for tunneling C2 communications. Yuze compromises the intranet and establishes reverse proxy connections to the attacker’s C2 server via HTTP (port 80), HTTPS (port 443), and DNS (port 53). Rclone, for data leaks.
To combat BYOVD threats, we recommend that you only allow signed drivers from explicitly trusted publishers, monitor driver installation events, and maintain a strict patch management schedule for updating security software, especially software that has driver-based components that can be exploited.
“Warlock relies on vulnerable drivers to override security controls, requiring layered defenses focused on kernel integrity,” Trend Micro said. “Therefore, organizations must upgrade from basic endpoint protection to enhanced driver governance and real-time monitoring of kernel-level activity.”
Source link
