BYOVD Ransomware Attacks Now Capable of Defeating Every Major EDR Product
| Group | Qilin (RaaS, cybercriminal); Warlock aka Water Manaul (cybercriminal) |
| Type | Ransomware with BYOVD EDR Killer |
| Malware | msimg32.dll (DLL sideload loader); rwdrv.sys (kernel memory driver); hlpdrv.sys (EDR killer driver); NSecKrnl.sys (Warlock BYOVD driver); Qilin ransomware; LockBit-derived Warlock payload (.x2anylock) |
| Score | 🔴 9.5 Critical. Two active RaaS groups have deployed kernel-level tooling capable of silencing virtually every EDR product on the market before detonating ransomware, with no patch available for the BYOVD attack surface. |
| Observed | 8 April 2026 |
Overview
Qilin and Warlock, two of the most active ransomware operations currently tracked, are independently deploying bring your own vulnerable driver (BYOVD) techniques to kill endpoint detection and response (EDR) software before detonating ransomware payloads. Research published this week by Cisco Talos and Trend Micro confirms that both groups now carry kernel-level tooling capable of terminating more than 300 EDR drivers, effectively covering every major security vendor's product line.
The Qilin campaign deploys a malicious DLL named msimg32.dll via DLL side-loading using the legitimate FoxitPDFReader.exe binary. This DLL functions as a four-stage loader that executes entirely in memory, ultimately installing two unsigned kernel drivers that strip EDR protections from the system before ransomware is released. The drivers, rwdrv.sys and hlpdrv.sys, were previously observed in Akira ransomware campaigns, suggesting shared tooling or a common developer across multiple RaaS affiliate pools.
Warlock, tracked by Trend Micro as Water Manaul, enters via unpatched Microsoft SharePoint servers and has updated its post-exploitation toolkit with a new BYOVD driver, NSecKrnl.sys, which replaces the googleApiUtil64.sys driver used in earlier campaigns. The group leverages Active Directory Group Policy (GPO) to distribute ransomware domain-wide, encrypting files with the .x2anylock extension. Warlock operators have been confirmed spending up to 15 days inside victim networks before executing ransomware, using that time to exfiltrate data and position for maximum impact.
The convergence on BYOVD across multiple unrelated ransomware groups signals a broader market shift. Tooling that was previously associated with nation-state actors is now a commodity available to financially motivated affiliates. Organisations relying on EDR as their primary detection and response control need to act on the mitigations in this advisory without delay.
Key Details
Delivery Method – Qilin: DLL side-loading via FoxitPDFReader.exe loading a malicious msimg32.dll; Warlock: exploitation of unpatched Microsoft SharePoint servers followed by web shell deployment
Target – Healthcare, education, finance, technology, manufacturing, and government sectors; primary geographic focus on the United States, Germany, and Russia; Australian and United Kingdom organisations confirmed among recent Qilin victims
Functions
- Terminates 300+ EDR drivers from virtually every security vendor via kernel-level manipulation
- Unregisters EDR monitoring callbacks before process termination to prevent alerts from firing
- Suppresses Event Tracing for Windows (ETW) to eliminate security telemetry
- Executes the EDR killer payload entirely in memory across four stages, with no new files written to disk during execution
- Deploys ransomware domain-wide via Active Directory GPO, staging payloads in SYSVOL and NETLOGON shares for execution at next boot (Warlock)
- Exfiltrates data prior to encryption using a renamed Rclone binary (Warlock)
- Maintains persistent GUI-based remote access via TightVNC deployed silently as a Windows service (Warlock)
- Encrypts files with .x2anylock extension derived from the LockBit codebase (Warlock)
Obfuscation – Qilin's loader implements SEH/VEH-based control flow obfuscation, Halo's Gate indirect syscall bypass, kernel object manipulation, and anti-debugging checks throughout the four-stage chain. Warlock disguises tools as legitimate security product names (TrendSecurity.exe, TrendFileSecurityCheck.exe) to blend with expected process activity during post-exploitation.
Attack Vectors
Stage 1 — Initial Access: Qilin affiliates gain a foothold via exploitation of internet-facing services, credential theft, or phishing. Once inside, the actor deploys FoxitPDFReader.exe alongside a malicious msimg32.dll placed in the same directory. When Foxit launches, Windows loads the rogue DLL via standard DLL search order hijacking. The DLL forwards all legitimate API calls to the genuine msimg32.dll in System32, preventing application crashes that would draw analyst attention.
Stage 2 — Multi-Stage In-Memory Loader: The malicious DLL contains an encrypted payload that decrypts across three progressive loader stages, each implementing stronger anti-analysis controls: ETW suppression prevents security tooling from recording events, Halo's Gate bypasses syscall hooks, SEH/VEH-based obfuscation hides execution flow, and kernel object manipulation disrupts debugging attempts. The final payload is decrypted and injected entirely in memory, producing no new artefacts on disk.
Stage 3 — BYOVD Driver Deployment: The in-memory payload drops two kernel drivers to the %TEMP% directory. The first, rwdrv.sys, is a renamed and legitimately signed copy of ThrottleStop.sys from TechPowerUp LLC; it provides direct read/write access to physical memory and kernel structures. The second, hlpdrv.sys, uses that access to terminate protected EDR processes. Before terminating anything, the malware unregisters EDR monitoring callbacks so the process kills complete without triggering any surviving alert pipeline.
Stage 4 — Ransomware Execution: With all EDR products blinded, Qilin ransomware executes, encrypting data and establishing double-extortion leverage.
For Warlock, the chain begins with exploitation of unpatched Microsoft SharePoint servers. Targeted HTTP POST requests upload web shells that provide reconnaissance and credential theft capability. The actor establishes redundant covert C2 channels using Yuze (a C-based SOCKS5 proxy over ports 80, 443, and 53), VS Code tunnels, Velociraptor, and Cloudflare Tunnel. TightVNC is installed as a persistent Windows service via PsExec. Data is exfiltrated via a renamed rclone.exe binary. Before deploying ransomware, NSecKrnl.sys is registered as a kernel service to terminate security products, then ransomware payloads are staged in SYSVOL and NETLOGON shares for GPO-driven mass encryption at next domain boot.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
File Hashes — Qilin EDR Killer Components
| Indicator | Type | Associated Actor |
|---|---|---|
7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497 | SHA256 — msimg32.dll (DLL sideload loader) | Qilin |
16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 | SHA256 — rwdrv.sys (kernel memory driver) | Qilin |
bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56 | SHA256 — hlpdrv.sys (EDR killer driver) | Qilin |
89ee7235906f7d12737679860264feaf | MD5 — msimg32.dll | Qilin |
6bc8e3505d9f51368ddf323acb6abc49 | MD5 — rwdrv.sys | Qilin |
cf7cad39407d8cd93135be42b6bd258f | MD5 — hlpdrv.sys | Qilin |
Suspicious File Paths and Artefacts
| Indicator | Type | Associated Actor |
|---|---|---|
msimg32.dll present outside C:\Windows\System32\ | Anomalous DLL placement | Qilin |
%TEMP%\rwdrv.sys | Dropped kernel memory driver | Qilin |
%TEMP%\hlpdrv.sys | Dropped EDR killer driver | Qilin |
NSecKrnl.sys loaded as kernel driver service via sc create | BYOVD driver | Warlock |
TrendSecurity.exe | Masquerading loader binary | Warlock |
TrendFileSecurityCheck.exe | Rclone disguised as security tool | Warlock |
.x2anylock file extension on encrypted files | Ransomware artefact | Warlock |
C2 Infrastructure — Warlock
| Indicator | Type | Associated Actor |
|---|---|---|
198[.]13[.]158[.]193 | Primary C2 IP (VPS hosted via blnwx[.]com) — single source, verify before blocking | Warlock |
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | msimg32.dll loaded by FoxitPDFReader.exe to initiate the Qilin four-stage EDR killer chain |
| T1068 | Exploitation for Privilege Escalation | BYOVD using rwdrv.sys and NSecKrnl.sys to acquire kernel-mode privileges |
| T1562.001 | Impair Defences: Disable or Modify Tools | Kernel drivers terminate 300+ EDR processes and unregister monitoring callbacks before ransomware runs |
| T1484.001 | Domain Policy Modification: Group Policy Modification | Warlock stages ransomware in SYSVOL/NETLOGON and executes domain-wide via GPO at boot |
| T1048 | Exfiltration Over Alternative Protocol | Warlock uses renamed Rclone (TrendFileSecurityCheck.exe) for pre-encryption data theft |
| T1543.003 | Create or Modify System Process: Windows Service | NSecKrnl.sys registered as a kernel driver service; TightVNC deployed as a persistent Windows service |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Warlock tools named to mimic Trend Micro product names to evade casual analyst scrutiny |
| T1569.002 | System Services: Service Execution | TightVNC deployed silently via PsExec for persistent GUI-based remote access |
Mitigation and Prevention
Enable Hypervisor-Protected Code Integrity Across All Endpoints
HVCI (Memory Integrity) is the single most effective control against BYOVD attacks and directly blocks both rwdrv.sys and NSecKrnl.sys from loading. Enable it via Windows Security under Device Security > Core Isolation > Memory Integrity, or deploy it via Group Policy at scale. Verify current HVCI status across all endpoints, as it is not enabled by default on older Windows installations and many enterprise builds disable it during imaging.
Deploy and Maintain the Microsoft Vulnerable Driver Blocklist
Microsoft's Vulnerable Driver Blocklist and the LOLDRIVERS project maintain curated lists of drivers abused in BYOVD attacks, including the ThrottleStop.sys binary that Qilin renames to rwdrv.sys. Deploy Windows Defender Application Control (WDAC) policies referencing the Microsoft recommended driver block rules and update the blocklist regularly. Threat actors rotate to new signed-but-vulnerable drivers when previous ones are blocked, so this is an ongoing operational requirement, not a one-time fix.
Patch Microsoft SharePoint Without Delay
Warlock's initial access vector has remained consistent across confirmed intrusions: unpatched SharePoint servers exposed to the internet. Apply all current cumulative updates to every SharePoint instance, restrict internet exposure to the minimum operationally required, and deploy a web application firewall in front of any public-facing SharePoint. Run Microsoft's published web shell detection scripts across all SharePoint servers to identify existing compromise.
Hunt for Anomalous DLL Placement
Create a detection rule to flag any msimg32.dll located outside C:\Windows\System32. There is no legitimate reason for this file to exist elsewhere, and its presence in any application directory is a reliable early indicator of the Qilin infection chain. Extend the hunt to cover DLL sideloading patterns involving FoxitPDFReader.exe, 7-Zip, and other commonly abused legitimate binaries that load msimg32 at launch.
Monitor Kernel Driver Installation Events
Alert on Windows Event ID 7045 (new service installed) and Event ID 219 (driver failed to load) for any kernel driver installed from %TEMP%, user profile directories, or SYSVOL. Sysmon with DriverLoad events (Event ID 6) provides reliable visibility. Any driver load from a non-standard path should be treated as high-priority and investigated immediately, especially where the driver filename does not match known allowlisted products.
Restrict and Audit Group Policy Modification Rights
Warlock's mass distribution method depends entirely on the ability to modify GPOs and write executables to SYSVOL. Limit GPO edit permissions to a tightly controlled set of privileged accounts, enable GPO change auditing via Advanced Audit Policy, and review SYSVOL and NETLOGON share contents for executables that do not belong. Implement tiered administration to limit the blast radius if a domain administrator account is compromised during the post-exploitation phase.
Detect Rclone Abuse and Covert C2 Tooling
Deploy hash-based detection for rclone.exe regardless of the process name it is running under, as renaming is Warlock's standard evasion. Alert on VS Code tunnel, Velociraptor agent, and Cloudflare Tunnel binaries executing outside authorised IT management contexts. Block outbound connections to cloud storage endpoints from servers with no documented business requirement, and monitor for SOCKS5 proxy activity on ports 80, 443, and 53 from server-class hosts.
Risk Assessment
Both Qilin and Warlock represent ransomware operations operating at the leading edge of defensive evasion capability. The core problem with the Qilin EDR killer is its vendor-agnostic scope. Targeting 300+ drivers from virtually every security vendor means no EDR product is reliably protected unless HVCI is enforced at the host level. Organisations running best-in-class endpoint products may believe they are adequately defended when the attacker has already silenced their protection before a single alert was generated.
Qilin has emerged as one of the most active ransomware groups by victim volume, claiming 22 of 134 incidents reported in Japan alone during 2025 and recording 70 attacks in a single 30-day window in mid-2025. The RaaS model means the EDR killer tooling is accessible to a broad affiliate pool, increasing the probability of encounter across every industry vertical. Warlock's targeting history shows consistent focus on technology, manufacturing, and government organisations across the United States, Germany, and Russia, with confirmed dwell times of up to 15 days before ransomware execution, suggesting thorough preparation and intent to maximise damage.
The broader signal is a market shift in ransomware tooling. Kernel-level EDR evasion was previously associated with nation-state actors and APT groups; it is now a commodity distributed through RaaS affiliate programmes. Defenders relying on EDR as their primary detection and response control need to layer in HVCI enforcement, driver allowlisting, network-based anomaly detection, and identity monitoring controls that function independently of the endpoint agent.
Conclusion
Enable HVCI on every Windows endpoint and push the Microsoft Vulnerable Driver Blocklist today. These two actions directly block the primary kernel-level evasion technique used by both Qilin and Warlock and are the highest-leverage mitigations available right now. SharePoint administrators should validate patch status and audit for web shells before close of business.
The deeper trend here is that the gap between nation-state tradecraft and criminal ransomware tooling has effectively closed. Kernel-level driver abuse, in-memory execution chains, and multi-stage anti-analysis techniques are now standard components of financially motivated ransomware operations. Detection strategies built around EDR as the last line of defence need to be revisited in favour of layered controls that remain effective when the endpoint agent is already dead.
Sources
- Cisco Talos — Qilin EDR killer infection chain (April 2026)
- The Hacker News — Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools (April 2026)
- Trend Micro — Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack (2026)
- Trend Micro — Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware (2025)
- CyberSecurityNews — Qilin Ransomware Uses Malicious DLL to Kill Almost Every Vendor's EDR Solutions (April 2026)