top of page

Qilin Ransomware Deploys Multi-Stage EDR Killer to Neutralize Endpoint Defenses

April 11th, 2026

High

Our Cyber Threat Intelligence Unit is tracking a sophisticated, multi-stage infection chain deployed by the Qilin ransomware group (also known as Agenda, Gold Feather, and Water Galura). This campaign can disable over 300 endpoint detection and response (EDR) solutions before executing its ransomware payload. Qilin uses a malicious dynamic-link library (DLL) to deliver an EDR killer component entirely in memory, which leaves minimal forensic evidence and bypasses conventional antivirus defenses. By removing endpoint security visibility before encryption, the group greatly reduces the chances of detection and effective response. Qilin operates as a ransomware-as-a-service (RaaS) group and claims over 40 victims per month, making it one of the most active ransomware operations currently observed. This campaign highlights a broader industry trend where disabling security layers has become a standard pre-encryption tactic for advanced ransomware operators.

Technical Details

Severity: High

Threat Type: Ransomware with kernel-level EDR evasion

Attack Vector: DLL side-loading

Affected Systems: Windows endpoints running EDR or antivirus solutions without HVCI enforcement

Threat Actor: Qilin ransomware group (RaaS); geo-fencing behavior consistent with Russian-affiliated threat actor TTPs

Attack Chain:

  • Stage 1: DLL Side-Loading

    • The infection begins when a legitimate Windows application (e.g., FoxitPDFReader.exe) side-loads a malicious msimg32.dll in place of the genuine Windows system library.

    • The rogue DLL forwards expected API calls to the real library at C:\Windows\System32 to preserve normal application behavior, while triggering its malicious logic from the DllMain function on load.

  • Stage 2: In-Memory Loader and EDR Evasion

    • An encrypted EDR killer payload embedded within the DLL passes through multiple loader stages before execution. Key evasion techniques include:

      • SEH/VEH obfuscation: Exception handling mechanisms are weaponized to conceal API calls and transfer execution between stages.

      • ETW suppression: Event Tracing for Windows is neutralized at runtime, removing behavioral telemetry available to defenders.

      • Halo's Gate syscall bypass: The loader scans ntdll.dll for clean, unhooked syscall stubs to invoke system calls while bypassing EDR-monitored APIs.

      • Kernel object manipulation: The .mrdata section of ntdll.dll is overwritten to redirect exception handling to a custom routine.

    • Anti-debugging: The malware checks for breakpoints on KiUserExceptionDispatcher and crashes if one is detected.

      • Geo-fencing: If a post-Soviet locale is detected, the malware terminates; a recognized TTP associated with Russian-affiliated ransomware operators.

    • The final payload is decrypted and mapped into memory via shared memory views, ensuring it never touches disk in an unencrypted state.

  • Stage 3: Kernel-Level EDR Elimination

    • After privilege escalation, the malware loads two kernel-level drivers:

      • rwdrv.sys: A renamed, legitimately signed version of ThrottleStop.sys (TechPowerUp LLC), abused to bypass Windows Driver Signature Enforcement and perform direct physical memory read/write operations.

      • hlpdrv.sys: A custom malicious driver that terminates protected EDR processes via IOCTL code 0x2222008.

    • Using rwdrv.sys, the malware iterates a hardcoded list of over 300 EDR driver names and unregisters their monitoring callbacks for process creation, thread creation, and image loading events, eliminating EDR visibility at the kernel level.

    • The CiValidateImageHeader callback is temporarily overwritten to disable Windows Code Integrity enforcement during execution, then restored to reduce forensic evidence.

Image by ThisisEngineering

Impact

  • EDR telemetry across process creation, memory, and network activity is eliminated before ransomware deployment, significantly reducing detection probability.

  • File encryption causes operational disruption and potential data loss.

  • Data exfiltration prior to encryption supports Qilin's double-extortion model.

  • In-memory execution, ETW suppression, and Code Integrity restoration complicate post-incident forensics.

  • Organizations relying on a single endpoint security layer face the highest exposure.

Detection Method

  • Alert on msimg32.dll loaded from outside C:\Windows\System32, particularly by applications with no legitimate reason to import this library (e.g., FoxitPDFReader.exe).

  • Monitor for installation or loading of rwdrv.sys and hlpdrv.sys.

  • Detect physical memory access IOCTLs issued from unexpected processes.

  • Alert on sudden EDR telemetry loss or logging gaps, which may indicate active callback unregistration.

  • Monitor for privilege escalation followed by kernel driver loading activity.

  • Review for process termination events targeting known security product processes.

  • Deploy the following detection signatures from Cisco Talos:

    • ClamAV:

      • Win.Malware.Bumblebee-10056548-0

      • Win.Tool.EdrKiller-10059833-0

      • Win.Tool.ThrottleStop-10059849-0

    • Snort 2 SIDs:

      • 66181

      • 66180

    • Snort 3 SID:

      • 301456

Indicators of Compromise

Type 

Indicator 

File Name 

Description 

SHA-256 

7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497 

msimg32.dll  

Malicious DLL loader 

SHA-256 

16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 

rwdrv.sys  

Abused legitimate signed driver 

SHA-256 

bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56 

hlpdrv.sys  

Custom malicious kernel driver 

SHA-256 

12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0 

N/A 

Final payload: in-memory EDR killer delivered via msimg32.dll 


mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Enable HVCI: Hypervisor-Protected Code Integrity is the most effective control against BYOVD-based driver abuse and should be enforced across all supported endpoints.

  • Block known vulnerable drivers: Add ThrottleStop.sys and its variants to Microsoft's Vulnerable Driver Blocklist.

  • Harden EDR tamper protection: Ensure tamper protection is active on all endpoint security solutions.

  • Layer defenses: Supplement endpoint controls with network detection, SIEM correlation, and behavioral analytics.

  • Monitor driver and DLL activity: Alert on unexpected kernel driver installation and msimg32.dll loading from non-system paths.

  • Address initial access vectors: Qilin is known to use credentials sourced from dark web markets. Enforce MFA, monitor for credential exposure, and review VPN authentication logs for NTLM brute-force patterns.

  • Deploy Talos detection signatures: Apply the ClamAV and Snort rules listed in Section 4.0.

  • Test recovery procedures: Validate backup integrity and ransomware response plans given the reduced dwell-time detection window this malware creates.

Conclusion

The Qilin ransomware group’s use of a kernel-level EDR killer represents a major advancement in pre-ransomware tactics. By unregistering EDR monitoring callbacks across more than 300 security products before payload execution, the group disables the defense layer instead of merely evading it. The malware’s use of legitimate signed drivers, in-memory execution, ETW suppression, and Code Integrity bypass demonstrates advanced operational capabilities. Organizations should implement defense-in-depth strategies that go beyond endpoint detection, prioritizing HVCI enforcement, driver allow-listing, and multi-source telemetry to maintain visibility even when a single defensive layer is compromised.

bottom of page