Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Ravie LakshmananApr 06, 2026Ransomware / Endpoint Security

Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro.

Qilin attacks analyzed by Talos have been found to deploy a malicious DLL named “msimg32.dll,” which initiates a multi-stage infection chain to disable endpoint detection and response (EDR) solutions. The DLL, launched via DLL side-loading, is capable of terminating more than 300 EDR drivers from almost every security vendor in the market.

“The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component,” Talos researchers Takahiro Takeda and Holger Unterbrink said. “This secondary payload is embedded within the loader in an encrypted form.”

The DLL loader implements an array of techniques to evade detection. It neutralizes user-mode hooks, suppresses Event Tracing for Windows (ETW) event logs, and takes steps to conceal control flow and API invocation patterns. As a result, it allows the main EDR killer payload to be decrypted, loaded, and executed entirely in memory while entirely flying under the radar.

Once launched, the malware makes use of two drivers –

rwdrv.sys, a renamed version of “ThrottleStop.sys” that’s used to gain access to the system’s physical memory and act as a kernel-mode hardware access layer.
hlpdrv.sys, to terminate processes associated with over 300 different EDR drivers belonging to various security solutions.

It’s worth noting that both drivers have been used as part of BYOVD attacks carried out in conjunction with Akira and Makop ransomware intrusions.

“Prior to loading the second driver, the EDR killer component unregisters monitoring callbacks established by the EDR, ensuring that process termination can proceed without…

Source