Cybersecurity Alert: Qilin and Warlock Ransomware Groups Utilize Advanced Techniques to Evade Detection
Recent findings from cybersecurity experts at Cisco Talos and Trend Micro have unveiled alarming tactics employed by the Qilin and Warlock ransomware operations. The threat actors behind these malicious schemes have been observed utilizing a technique known as Bring Your Own Vulnerable Driver (BYOVD) to neutralize security tools on compromised systems. This sophisticated method allows them to bypass protections, exposing critical vulnerabilities in endpoint security measures.
In their analysis, Talos detailed how Qilin’s attacks deploy a malicious Dynamic Link Library (DLL) with the name “msimg32.dll.” This DLL initiates a multi-stage infection chain designed to disable Endpoint Detection and Response (EDR) solutions, making it particularly dangerous for organizations relying on these security measures. The DLL is launched through DLL side-loading, a method that enables the malware to terminate over 300 different EDR drivers from nearly every major security vendor in the marketplace, thus rendering these defenses ineffective.
According to Talos researchers Takahiro Takeda and Holger Unterbrink, the first stage of the attack involves a Portable Executable (PE) loader that prepares the execution environment for the subsequent EDR killer component. The secondary payload, which is embedded within the loader in encrypted form, showcases a level of sophistication that makes detection especially challenging.
Evasive Maneuvers and Control
The DLL loader employs a variety of techniques to evade detection effectively. It disables user-mode hooks, suppresses Event Tracing for Windows (ETW) event logs, and conceals control flow as well as API invocation patterns. These measures ensure that the main EDR killer payload can be decrypted, loaded, and executed entirely in memory without alerting security protocols.
Once activated, the malware leverages two essential drivers:
- rwdrv.sys: A renamed version of "ThrottleStop.sys," this driver is crucial for accessing the system’s physical memory and acts as a kernel-mode hardware access layer.
- hlpdrv.sys: This driver is specifically designed to terminate processes associated with over 300 different EDR drivers from various security vendors.
Prior to launching the second driver, the EDR killer component un-registers monitoring callbacks established by EDRs, effectively guaranteeing that the process termination can proceed without any interference. This meticulous strategy highlights the advanced tricks that the malware employs to circumvent modern EDR protection features on compromised systems.
Rising Threat Levels
Statistical data compiled by firms such as CYFIRMA and Cynet indicate that Qilin has emerged as one of the most active ransomware groups in recent months, claiming hundreds of victims across various sectors. The group has been linked to 22 out of 134 recorded ransomware incidents in Japan for 2025, accounting for approximately 16.4% of all attacks during that period.
Notably, Talos has pointed out that Qilin predominantly relies on stolen credentials for initial access. Once they gain a foothold in a target environment, the group places significant emphasis on post-compromise actions to methodically expand control and maximize impact. On average, ransomware execution occurs roughly six days after the initial breach, underscoring the pressing need for organizations to detect malicious activities at the earliest stages to thwart ransomware deployment.
Warlock Ransomware Group: Continued Exploitation
Concurrently, the Warlock ransomware group, also known as "Water Manaul," is actively exploiting unpatched Microsoft SharePoint servers. The group is in the process of improving its toolset to ensure enhanced persistence, lateral movement, and defense evasion. Noteworthy tools such as TightVNC for persistent control and a legitimate yet vulnerable NSec driver in BYOVD attacks have been observed. This combination allows Warlock to target security products at the kernel level, rendering them ineffective against ongoing threats.
In addition to the aforementioned techniques, Warlock employs several other tools during its attacks, including:
- PsExec for lateral movement.
- RDP Patcher for facilitating concurrent RDP sessions.
- Velociraptor for command-and-control (C2) plans.
- Visual Studio Code and Cloudflare Tunnel for facilitating C2 communications.
- Yuze for intranet penetration and creating reverse proxy connections.
- Rclone for data exfiltration.
Mitigation Strategies Required
To combat BYOVD threats effectively, experts recommend organizations enforce strict policies around driver governance. This includes only permitting signed drivers from trusted publishers, closely monitoring driver installation events, and maintaining a rigorous patch management schedule for security solutions, particularly those with driver-based components that could be exploited by malicious actors.
Trend Micro emphasizes that Warlock’s use of vulnerable drivers to disable security controls necessitates a multilayered defense focused on maintaining kernel integrity. Organizations must move beyond basic endpoint protection to encompass real-time monitoring of kernel-level activities, thereby providing a robust defense against these sophisticated threats.
As the scale and complexity of ransomware attacks continue to rise, it becomes imperative for organizations to adopt proactive security measures, ensuring they are well-equipped to combat these evolving threats.