{"id":231790,"date":"2026-04-06T06:07:00","date_gmt":"2026-04-06T10:07:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/06\/qilin-and-warlock-ransomware-use-vulnerable-drivers-to-disable-300-edr-tools\/"},"modified":"2026-04-06T12:15:12","modified_gmt":"2026-04-06T16:15:12","slug":"qilin-and-warlock-ransomware-use-vulnerable-drivers-to-disable-300-edr-tools","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/06\/qilin-and-warlock-ransomware-use-vulnerable-drivers-to-disable-300-edr-tools\/","title":{"rendered":"Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/qilin-and-warlock-ransomware-use.html\">Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/qilin-and-warlock-ransomware-use.html\">https:\/\/thehackernews.com\/2026\/04\/qilin-and-warlock-ransomware-use.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-06 06:07:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Apr 06, 2026<\/span><\/span><span class=\"p-tags\">Ransomware \/ Endpoint Security<\/span><\/p>\n<p>Threat actors associated\u00a0with Qilin\u00a0and Warlock ransomware operations\u00a0have been\u00a0observed using the bring your own vulnerable driver\u00a0(BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend\u00a0Micro.<\/p>\n<p>Qilin attacks analyzed by Talos\u00a0have been\u00a0found to deploy a malicious DLL named &#8220;msimg32.dll,&#8221; which initiates a multi-stage infection chain to disable endpoint detection and response (EDR) solutions. The\u00a0DLL, launched via DLL side-loading, is capable of terminating more than 300 EDR drivers from almost every security vendor in the\u00a0market.<\/p>\n<p>&#8220;The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component,&#8221; Talos researchers Takahiro Takeda and Holger Unterbrink said. &#8220;This secondary payload is embedded within the loader in an encrypted\u00a0form.&#8221;<\/p>\n<p>The DLL\u00a0loader implements an\u00a0array of techniques to evade detection. It\u00a0neutralizes user-mode hooks, suppresses Event Tracing for Windows (ETW) event logs, and takes steps to conceal control flow and API invocation\u00a0patterns. As a result,\u00a0it allows the main EDR killer payload\u00a0to be\u00a0decrypted, loaded, and executed entirely in\u00a0memory while entirely flying under the\u00a0radar.<\/p>\n<p>Once launched, the malware makes use of two drivers\u00a0&#8211;<\/p>\n<ul>\n<li>rwdrv.sys, a renamed version of &#8220;ThrottleStop.sys&#8221; that&#8217;s used to gain access to the system&#8217;s physical memory and act as a kernel-mode hardware access layer.<\/li>\n<li>hlpdrv.sys, to terminate processes associated with over 300 different EDR drivers belonging to various security solutions.<\/li>\n<\/ul>\n<p>It&#8217;s worth noting that both drivers have been used as part of BYOVD attacks carried out in conjunction\u00a0with Akira\u00a0and Makop ransomware intrusions.<\/p>\n<p>&#8220;Prior\u00a0to loading the second driver, the EDR killer component unregisters monitoring callbacks established by the EDR, ensuring that process termination can proceed without&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/qilin-and-warlock-ransomware-use.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools https:\/\/thehackernews.com\/2026\/04\/qilin-and-warlock-ransomware-use.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":231791,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgtrUKOrJ2Y_pSYHNcKDjbrBsZa2igYlNorTwmH31JNSjdA7VP84kXj23nmkk7DTqlrCUsfCjNo6xt-niyZeKeCR7VtBzMWW9eNUKzU0WGnpmw2yYjHBdboP2uF2UA8CCsdclyeDlRJcU7DEOD8OrFthlhQX-OkgePmyT__ZDQA4IXgRYbnNtp21MoleCTU\/s16000\/lock-ransomware.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32],"class_list":["post-231790","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231790"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=231790"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231790\/revisions"}],"predecessor-version":[{"id":231792,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231790\/revisions\/231792"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/231791"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=231790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=231790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=231790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}