msimg32.dll hits the endpoint. Boom — EDRs start dropping, one by one, over 300 of them from every big-name vendor you can think of. Cisco Talos catches Qilin mid-kill, and it’s not pretty.
This isn’t some script-kiddie hack. It’s a meticulously crafted chain, starting with DLL side-loading that most scanners still miss. Talos researchers peel it back: the loader preps the battlefield, nukes user-mode hooks, mutes ETW logs, hides its tracks. Then the real payload decrypts in memory, invisible.
Two drivers seal the deal. rwdrv.sys — that’s ThrottleStop.sys in disguise — dives into physical memory. hlpdrv.sys hunts processes tied to those EDR drivers. Gone in seconds.
“The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component,” Talos researchers Takahiro Takeda and Holger Unterbrink said. “This secondary payload is embedded within the loader in an encrypted form.”
And here’s the kicker — these same drivers popped up with Akira and Makop ransomware. Reuse at scale. Qilin’s on a tear too: CYFIRMA pegs them as Japan’s top ransomware scourge in 2025, 16.4% of incidents.
How Does Qilin’s Loader Stay Stealthy?
Look, evasion’s old hat, but this? Surgical. It unregisters EDR callbacks before loading the second driver — no alerts, no interference. Talos calls it sophisticated circumvention of modern EDR tricks (yeah, the irony).
Qilin doesn’t rush. They steal creds for entry, then linger — average six days to ransomware drop. That’s time to burrow deep, expand laterally. Post-compromise obsession, they call it. Smart? Terrifying.
Shift to Warlock. Aka Water Manaul. They’re patching unpatched SharePoint holes, swapping drivers like outfits. Ditched googleApiUtil64.sys for NSecKrnl.sys — another vuln gem — to torch security at kernel level.
PsExec for hopping boxes. RDP Patcher for multi-sessions. TightVNC for backdoors. Velociraptor as C2. Even Visual Studio Code tunneling via Cloudflare, Rclone stealing data, Yuze piercing intranets over HTTP/443/DNS. January 2026, they flexed all this.
Why Is Warlock’s Toolbelt So Damn Versatile?
Warlock mixes legit tools with malice — that’s the genius. Dev tools like VS Code? Who blocks that? Cloudflare Tunnel? Enterprise staple. It’s living-off-the-land on steroids, persistence baked in.
But back to BYOVD. Bring Your Own Vulnerable Driver. Attackers grab signed-but-broken drivers (often from legit software), load ‘em kernel-side, and own the ring 0. EDRs? Useless against kernel peers.
This echoes the Sony BMG rootkit fiasco from 2005 — remember? They hid DRM with a faulty driver, crippled machines, sparked outrage. Flip it: now crooks abuse similar flaws for extortion. My take? BYOVD’s the new rootkit era, but democratized. No nation-state polish needed.
Qilin’s DLL array alone — neutralizing hooks, ETW suppression, control-flow obfuscation — screams evolution. They’re not just disabling; they’re rewriting the kernel conversation.
Trend Micro chimes in on Warlock: kernel integrity’s the fix. But most orgs? Still on basic AV. Driver governance? Rare.
Is BYOVD the End of Traditional EDR?
Short answer: getting there. With 300+ vendors hit, it’s not vendor-specific. It’s architectural. EDRs hook userland and kernel, but BYOVD slips under. Prediction: we’ll see EDRs flee to hardware enclaves — think Intel SGX or ARM TrustZone — where drivers can’t touch. Software-only defenses? Doomed.
Organizations scramble now. Talos pushes early detection. But six-day dwell? That’s a red flag parade ignored.
Counterplay exists. Whitelist signed drivers from trusted pubs only. Watch driver loads like hawks. Patch relentlessly — especially driver components. Multilayer: kernel monitoring, behavioral baselines.
Yet Qilin’s rise — hundreds claimed — shows gaps persist. Japan alone, 22 hits. Global? Exponential.
Warlock’s persistence upgrades? They’re not stopping. SharePoint vulns linger because patching’s hard. Tool diversity means sigs fail.
The why here cuts deep. Ransomware’s not spray-and-pray anymore. It’s patient, kernel-savvy ops. Architectural shift: attackers live kernel-side longer, forcing defenders to match.
One punchy truth: if your EDR relies on drivers, it’s BYOVD bait. Time to rethink.
🧬 Related Insights
- Read more: Apple Finally Backports DarkSword Fix to iOS 18—But Don’t Call It Mercy
- Read more: Millions of Crime Tips Leaked: The Hack That Shatters Anonymous Reporting
Frequently Asked Questions
What is BYOVD in ransomware?
BYOVD means attackers load their own vulnerable, signed drivers to gain kernel access and disable security tools like EDRs.
How do Qilin and Warlock disable over 300 EDRs?
They use loaders to evade detection, then drivers like rwdrv.sys and hlpdrv.sys to terminate EDR processes and callbacks at kernel level.
Can you block BYOVD attacks?
Yes — enforce driver whitelisting, monitor installs, patch drivers fast, and layer defenses beyond software EDR.
