Threat actors tied to Qilin and Warlock ransomware have used vulnerable drivers to disable security software on compromised systems, according to a technical analysis by Cisco Talos and Trend Micro. The findings say Qilin’s tool can terminate more than 300 endpoint detection and response drivers from major vendors.
KEY FACTS
- Qilin tool A malicious DLL named msimg32.dll starts a multi-stage chain that can disable EDR products.
- Drivers used The malware uses rwdrv.sys and hlpdrv.sys to access memory and kill security processes.
- Warlock activity The group has used TightVNC, PsExec, RDP Patcher, Velociraptor, Cloudflare Tunnel, Yuze and Rclone.
- Scope Qilin has been linked to 22 of 134 ransomware incidents reported in Japan in 2025.
The report says the Qilin loader uses DLL side-loading and in-memory execution to evade detection. It also suppresses Event Tracing for Windows logs, neutralizes user-mode hooks and hides control flow and API patterns while it prepares the main payload.
Talos said the malware first unregisters monitoring callbacks established by security tools before loading the second driver. That step helps the process-killing component run without interference.
The disclosure says Warlock has continued to abuse unpatched Microsoft SharePoint servers and has updated its toolkit for persistence, lateral movement and defense evasion. It noted the group has used a legitimate but vulnerable NSec driver, NSecKrnl.sys, to terminate security products at the kernel level.
Researchers said ransomware execution occurred about six days after initial compromise on average. They recommended strict driver governance, patching and monitoring of driver installation events to reduce the risk of BYOVD attacks.
WHY IT MATTERS
The findings show how ransomware crews are combining stolen access, vulnerable drivers and living-off-the-land tools to weaken defenses before encryption begins. That makes early detection and kernel-level monitoring more important for organizations trying to stop attacks before they spread.