Protect.Computer
NEWS

Qilin and Warlock ransomware now kill 300+ EDR tools using vulnerable signed drivers

· 3 min read · Ransomware Defense evasion
Qilin and Warlock ransomware now kill 300+ EDR tools using vulnerable signed drivers

Photo by Michael Dziedzic on Unsplash

What happened

Cisco Talos and Trend Micro have published detailed analyses of how the Qilin and Warlock ransomware groups are systematically dismantling endpoint security before deploying ransomware, using the Bring Your Own Vulnerable Driver (BYOVD) technique to disable more than 300 EDR products from nearly every major security vendor.

Qilin’s multi-stage EDR killer

Qilin’s attack begins with DLL side-loading: a legitimate Windows application loads a malicious msimg32.dll that triggers a sophisticated multi-stage infection chain.

The loader:

  • Suppresses Event Tracing for Windows (ETW) to cut off security telemetry
  • Uses SEH/VEH-based control flow obfuscation to hide execution patterns
  • Employs Halo’s Gate syscall bypass to invoke system calls without triggering EDR hooks
  • Performs geo-fencing to exclude post-Soviet locales (consistent with Russian-affiliated operations)

The final payload loads two kernel-level drivers:

  • rwdrv.sys (renamed ThrottleStop.sys, legitimately signed by TechPowerUp) — provides direct physical memory read/write
  • hlpdrv.sys — terminates protected EDR processes, bypassing Windows process protection

The malware iterates through a hardcoded list of 300+ EDR driver names, unregistering their monitoring callbacks for process creation, thread creation, and image loading. It even temporarily disables Windows Code Integrity enforcement to freely modify kernel structures, then restores it afterward to reduce forensic traces.

Warlock’s parallel approach

The Warlock group exploits unpatched Microsoft SharePoint servers for initial access and deploys a vulnerable NSec driver (NSecKrnl.sys) for similar kernel-level EDR termination. Their updated toolset includes TightVNC, PsExec, Visual Studio Code tunneling, Cloudflare Tunnel, and Rclone for data exfiltration.

Why this matters

This represents a strategic evolution in ransomware operations: rather than trying to evade detection, attackers are now dismantling the detection layer itself before deploying payloads. If your EDR is your primary defense and it gets killed at the kernel level, you’re blind while ransomware executes.

Qilin was linked to 22% of ransomware incidents in Japan in 2025, and this technique makes the group significantly more dangerous.

How to check if you’re affected

Affected products and versions

  • Any Windows endpoint running EDR software from any major vendor (300+ products targeted including CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Sophos, Trend Micro, Symantec, ESET, Kaspersky, and others)
  • Organizations using Windows 10/11 or Windows Server 2016–2025 without kernel driver integrity enforcement (WDAC/HVCI)
  • Microsoft SharePoint Server 2019 and SharePoint Server Subscription Edition with unpatched vulnerabilities (Warlock’s entry point)
  • Systems where driver signature enforcement can be bypassed via legitimately-signed vulnerable drivers (rwdrv.sys from TechPowerUp ThrottleStop, NSecKrnl.sys from NSec)

Concrete verification steps (20-minute triage)

  1. Check for suspicious driver installations

    • Search for rwdrv.sys, hlpdrv.sys, or NSecKrnl.sys across your endpoint fleet.
    • Review Windows Event Logs (System log, Event ID 7045) for recent driver installations from unexpected paths.
    • Query your EDR/SIEM for sc.exe or service creation events involving unknown .sys files.

  2. Verify EDR health and callback integrity

    • Confirm your EDR agents are actively reporting and their kernel callbacks are intact.
    • Look for gaps in telemetry — sudden silence from endpoints that were previously reporting is a strong indicator.

  3. Audit DLL side-loading risk

    • Check for msimg32.dll in unexpected locations (anywhere outside C:\Windows\System32).
    • Review application directories for unsigned or recently-modified DLLs alongside legitimate executables.

  4. Verify driver governance policies

    • Check whether your organization enforces driver allowlisting (WDAC, AppLocker driver rules, or equivalent).
    • Confirm that only explicitly trusted publisher certificates are permitted for kernel drivers.

  5. Patch SharePoint (for Warlock vector)

    • Verify all SharePoint servers are current on security updates.
    • Review SharePoint access logs for anomalous authentication patterns.

Immediate defensive actions

  • Enforce strict driver governance: use Windows Defender Application Control (WDAC) or equivalent to allowlist only trusted driver publishers.
  • Monitor driver installation events in real-time via SIEM.
  • Don’t rely on a single EDR product — layer defenses so kernel-level EDR termination doesn’t leave you completely blind.
  • Block known BYOVD drivers: add rwdrv.sys, hlpdrv.sys, and NSecKrnl.sys hashes to your blocklist.
  • Patch SharePoint and restrict external access.

Sources

Bottom line

If your security strategy is “we have EDR, we’re covered” — this is a wake-up call. Qilin and Warlock have industrialized the process of killing your security tools before you even know you’ve been breached. Layer your defenses, enforce driver governance, and monitor for telemetry gaps. The attackers are specifically targeting the tools you trust most.

Related reading

News
Germany unmasks REvil and GandCrab ransomware leader 'UNKN' as Russian national Daniil Shchukin

Germany's Federal Criminal Police (BKA) has publicly identified 31-year-old Russian Daniil Maksimovich Shchukin as UNKN, the leader of the GandCrab and REvil ransomware operations responsible for over 130 attacks in Germany, €35 million in damages, and pioneering double extortion. A second suspect, developer Anatoly Kravchuk, was also named.

News
BlueHammer: leaked Windows zero-day gives attackers SYSTEM privileges — no patch yet

A disgruntled researcher published working exploit code for an unpatched Windows local privilege escalation zero-day (BlueHammer) that combines TOCTOU and path confusion to access the SAM database and escalate to SYSTEM. No official patch exists. Affects Windows 11.

News
Google Drive ransomware detection is now generally available for Workspace tiers

Google says Drive ransomware detection is now GA with a newer model that detects more infections and pauses sync when suspicious encryption is detected.

News
LeakNet ransomware uses ClickFix and Deno runtime for stealthier intrusions

LeakNet operators are using ClickFix social engineering and a Deno-based in-memory loader, a combo that can reduce on-disk evidence and evade weaker detections.