Qilin Found a Way to Blind Your EDR Before You Know They're Inside
The most active ransomware group on the planet is now deploying a signed Windows driver to kill your entire security stack from the kernel level.
Cisco Talos and Trend Micro have published coordinated intelligence confirming that threat actors behind both the Qilin and Warlock ransomware operations are actively deploying a technique called Bring Your Own Vulnerable Driver (BYOVD) to systematically disable endpoint security tooling before their ransomware payload ever runs.
This is not a proof-of-concept. It is in-production tradecraft, observed across live intrusions. The objective is simple and devastating: arrive in your environment via stolen credentials, load a legitimate signed Windows driver, use that driver's kernel-level trust to kill every security process watching your endpoints, then detonate ransomware into a blind environment with no telemetry, no alerts, and no automated response capability.
For defenders who have staked their ransomware resilience on EDR, this is the threat that turns that bet against you.
The attack chain, step by step
Talos researchers Takahiro Takeda and Holger Unterbrink published a detailed technical teardown of the infection chain. Here is what the kill sequence actually looks like inside your environment:
Initial Access
Stolen credentials. No zero-day required. A single compromised account is the entire entry vector. Qilin prioritizes credential theft and reuse across enterprise environments before any other activity.
DLL Side-Loading
A malicious msimg32.dll is placed alongside a legitimate app such as FoxitPDFReader.exe. When the trusted app launches, it loads the malicious DLL instead. Execution triggers inside DllMain at load time, before anything can intervene.
Stage 1: PE Loader
The DLL contains an encrypted embedded PE loader. It allocates a heap buffer, neutralizes user-mode hooks that EDR products rely on for telemetry, and suppresses execution visibility through exception-handler abuse.
Stage 2: Vulnerable Driver Load
Two vulnerable drivers drop and load: rwdrv.sys (modified ThrottleStop.sys) grants direct physical memory access; hlpdrv.sys handles process termination. Both are legitimately signed. Windows trusts them.
Stage 3: EDR Callback Unregistration
Before any process is terminated, the EDR killer unregisters monitoring callbacks that EDR products have registered with the Windows kernel. This eliminates the telemetry pipeline itself, not just the processes.
Stage 4: Mass EDR Termination
With callbacks unregistered and kernel privileges established, the component terminates drivers from over 300 security products spanning virtually every major vendor on the market. The environment is security-dark.
Stage 5: Ransomware Deployment
With the defensive layer eliminated and telemetry suppressed, ransomware deploys into an environment with no detection, no automated response, and no meaningful response window remaining.
Why BYOVD is so hard to stop
The core problem is architectural. Windows enforces a protection boundary between user-space (Ring 3) and kernel-space (Ring 0). Your EDR lives in user-space. To have visibility at the kernel level, it registers callbacks with the OS — hooks that notify it when processes launch, memory is written, or drivers load.
BYOVD attacks this model at its foundation. By loading a legitimate, digitally signed driver, the attacker obtains kernel-level access through a channel that Windows explicitly trusts. From that position, they can reach directly into the kernel callback table and remove the registrations your EDR depends on. By the time your security tool would normally generate an alert, its entire notification infrastructure has been surgically removed.
What makes the Qilin implementation particularly concerning is the depth of the evasion layering. The loader neutralizes user-mode hooks before the driver is even introduced, suppresses telemetry through exception-handler manipulation, and keeps the most sensitive payload components encrypted in memory until the moment of execution.
“The EDR killer unregisters monitoring callbacks before loading the second driver, ensuring that process termination proceeds without interference.”
— Talos Researchers — Direct Finding
This is now standard ransomware tradecraft
BYOVD has been a known technique for years. What has changed is its operational status. It is no longer a niche capability reserved for nation-state actors or red teams. The same vulnerable drivers abused in the Qilin chain — rwdrv.sys and hlpdrv.sys — have also appeared in Akira and Makop ransomware intrusions.
Warlock has its own BYOVD implementation documented by Trend Micro. In December 2025, Cisco Talos documented a DeadLock ransomware campaign using a BYOVD loader against a vulnerable Baidu Antivirus driver to terminate EDR processes and disable Windows Defender entirely.
The pattern is unmistakable: the criminal ransomware ecosystem has converged on EDR elimination as a standardized pre-encryption phase. These are not boutique capabilities. They are operationalized, reusable components being applied at scale across the entire ransomware-as-a-service economy.
Qilin, also tracked as Agenda, Gold Feather, and Water Galura, operates as a ransomware-as-a-service platform. That means BYOVD capability is now available to any affiliate who rents access — no specialized kernel engineering required.
The strategic consequence: compressed response windows
In a normal Qilin intrusion, attackers rely on stolen credentials for initial access and often delay ransomware deployment by days. Under standard circumstances, that dwell time is an opportunity — a window during which a properly staffed security team might detect post-compromise activity and contain the intrusion before encryption begins.
BYOVD directly destroys that opportunity. By targeting the EDR tooling and kernel callbacks a SOC team depends on for visibility, attackers can extend their operational window while simultaneously eliminating the defender's ability to capitalize on it. When encryption finally starts, the security stack has already been dark for some time.
For CISOs and security architects, the implication is direct: EDR is no longer sufficient as a primary ransomware defense layer. Any architecture that relies on EDR as the last line of defense has a gap that Qilin already knows about and is actively exploiting.
IOCs: hunt for these now
The following indicators have been confirmed by Cisco Talos across observed Qilin intrusions. Any instance of the malicious DLL outside its legitimate system path warrants immediate host isolation.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| msimg32.dll | Malicious DLL (stage 1 loader) | 7787da25451f5538...b888497 |
| rwdrv.sys | Vulnerable driver (memory access) | 16f83f056177c4ec...fa99c97f0 |
| hlpdrv.sys | Vulnerable driver (process kill) | bd1f381e5a3db22e...56 |
| EDRKiller.exe | EDR termination component | 12fcde06ddadf1b4...83f0a4a0 |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
What to do right now
Immediate remediation steps for your security team:
Enable HVCI immediately
Hypervisor-Protected Code Integrity is the single most effective control against BYOVD. Enable it on all Windows endpoints via Windows Security > Device Security > Core isolation. It prevents loading of known vulnerable drivers at the hypervisor level.
Hunt for msimg32.dll now
Any instance outside C:\Windows\System32 is an active IOC. Run a hunt across your fleet immediately using your EDR's custom query or PowerShell. Isolate any hits without hesitation.
Enforce the Vulnerable Driver Blocklist
Microsoft's blocklist specifically covers the drivers abused in Qilin attacks. Enforce it via Intune or Group Policy. On endpoints with HVCI enabled, it applies automatically — but verify enforcement across your full fleet.
Harden credential hygiene
Qilin's entire initial access model depends on stolen credentials. Enforce MFA across all remote access surfaces, rotate any credentials exposed in prior incidents, and audit privileged account usage for anomalous lateral movement.
Monitor driver installation events
Alert on any driver installation events in your SIEM — specifically rwdrv.sys and hlpdrv.sys. Unusual driver loads outside sanctioned change windows should trigger immediate investigation.
Rethink your EDR dependency
Add network-level detection, deception technologies, and identity-based controls that operate independently of endpoint agents. Qilin is specifically engineered to make endpoint-centric security stacks fail.
The bottom line
Qilin is not doing anything fundamentally new. BYOVD has existed for years. What Qilin has done is operationalize it into a polished, multi-stage attack chain that is actively deployed against enterprise targets at scale, through a RaaS platform available to affiliates without kernel engineering expertise.
The security industry spent years building EDR into the cornerstone of enterprise endpoint defense. Ransomware groups spent years finding the seam where that cornerstone can be pulled. That seam is the kernel trust boundary — and it is now being exploited in production attacks by the most active ransomware group on the planet.
The correct response is not to abandon EDR. It is to stop treating EDR as a complete solution and to build architectures that assume it can be blinded. That means HVCI enforcement, driver governance, identity hardening, and network-level controls that operate independently of endpoint agents.
The question for every security team this week is not whether Qilin's technique works. Talos has confirmed that it does. The question is whether HVCI is enabled across your fleet right now — and if not, what your plan is to get there before Qilin gets there first.