Qilin and Warlock ransomware groups have been observed exploiting vulnerable drivers to disable security software on compromised systems, affecting hundreds of victims across multiple regions. According to research from Cisco Talos and Trend Micro, Qilin operations leverage the bring your own vulnerable driver technique, or BYOVD, to bypass endpoint detection and response solutions. In Qilin attacks analyzed by Talos, a malicious DLL named msimg32.dll initiates a multi-stage infection chain specifically designed to neutralize over 300 EDR drivers from a wide array of security vendors. This DLL, launched through DLL side-loading, allows the main EDR killer payload to execute entirely in memory while evading detection, highlighting the sophistication of these ransomware operations.
Talos researchers Takahiro Takeda and Holger Unterbrink explained that the first stage involves a PE loader that prepares the execution environment for the EDR killer component, with a secondary payload encrypted within the loader itself. This loader disables user-mode hooks, suppresses Event Tracing for Windows logs, and conceals API calls to maintain stealth while decrypting and executing the main payload. Once active, the malware employs two drivers to maximize its impact. The first, rwdrv.sys, a modified ThrottleStop.sys driver, provides direct access to system memory, while hlpdrv.sys is used to terminate processes associated with hundreds of EDR drivers. These methods mirror BYOVD techniques previously observed in Akira and Makop ransomware intrusions, demonstrating a growing trend in kernel-level exploitation.
Qilin ransomware has been notably active in Japan, accounting for 22 out of 134 reported incidents in 2025, representing roughly 16 percent of attacks. The group typically gains initial access through stolen credentials and spends several days establishing control over the target environment before executing ransomware, with average deployment occurring six days after initial compromise. Warlock, also known as Water Manual, has continued to exploit unpatched Microsoft SharePoint servers while refining its toolkit to enhance persistence, lateral movement, and defense evasion. Observed tools include TightVNC for remote access, NSecKrnl.sys driver for EDR termination, PsExec for lateral movement, RDP Patcher for concurrent remote sessions, Velociraptor for command and control, Visual Studio Code with Cloudflare Tunnel for C2 communications, Yuze for intranet penetration and reverse proxy setup, and Rclone for data exfiltration.
Cybersecurity experts stress that BYOVD attacks like these require organizations to implement strict driver governance and kernel-level monitoring. Only signed drivers from trusted publishers should be allowed, and all driver installations must be closely monitored. Maintaining a robust patch management schedule and upgrading endpoint protection to include real-time kernel activity monitoring are essential to mitigating these threats. Trend Micro highlighted that Warlock’s reliance on vulnerable drivers illustrates how attackers are increasingly targeting the core of system security, emphasizing the importance of multilayered defenses. This ongoing activity underscores the need for vigilance and proactive security measures to prevent ransomware groups from exploiting vulnerabilities in both software and hardware layers.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
