InfoSecBulletin Cybersecurity for mankind
Threat groups linked to Qilin and Warlock ransomware have been seen using the bring your own vulnerable driver (BYOVD) method to disable security tools on compromised computers, as reported by Cisco Talos and Trend Micro.
Qilin attacks analyzed by Cisco Talos have been found to deploy a malicious DLL named “msimg32.dll,” which initiates a multi-stage infection chain to disable endpoint detection and response (EDR) solutions. The DLL, launched via DLL side-loading, is capable of terminating more than 300 EDR drivers from almost every security vendor in the market.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component,” Talos researchers Takahiro Takeda and Holger Unterbrink said. “This secondary payload is embedded within the loader in an encrypted form.”
The DLL loader uses many methods to avoid being found. It stops user-mode hooks, hides Event Tracing for Windows (ETW) logs, and works to hide control flow and API calls. Because of this, it lets the main EDR killer payload be decoded, loaded, and run completely in memory without being noticed.
Once launched, the malware makes use of two drivers:
*rwdrv.sys, a renamed version of “ThrottleStop.sys” that’s used to gain access to the system’s physical memory and act as a kernel-mode hardware access layer.
*hlpdrv.sys, to terminate processes associated with over 300 different EDR drivers belonging to various security solutions.
Both drivers have been used in BYOVD attacks along with Akira and Makop ransomware hacks.
“Prior to loading the second driver, the EDR killer component unregisters monitoring callbacks established by the EDR, ensuring that process termination can proceed without interference,” Talos said. “It demonstrates the sophisticated tricks the malware is employing to circumvent or completely disable modern EDR protection features on compromised systems.”
Based on data from CYFIRMA and Cynet, Qilin has become the most active ransomware group lately, affecting hundreds of people. This group is responsible for 22 out of 134 ransomware cases reported in Japan in 2025, which is 16.4% of all attacks.
“Qilin primarily relies on stolen credentials to gain initial access,” Talos said. “After successfully breaching a target environment, the group places considerable emphasis on post-compromise activities, allowing it to methodically expand its control and maximize impact.”
The cybersecurity company said that ransomware attacks happened about six days after the first breach. This shows that businesses need to find bad activity as soon as they can and stop ransomware from being used.
The news is that the Warlock (also known as Water Manaul) ransomware group is still taking advantage of Microsoft SharePoint servers that have not been fixed. They are also improving their tools to stay hidden and move around. They now use TightVNC for constant control and a real but weak NSec driver (“NSecKrnl.sys”) in a BYOVD attack to stop security programs at the core level. This replaces the “googleApiUtil64.sys” driver used before.
Also observed during the course of the Warlock attack in January 2026 were the following tools:
*PsExec, for lateral movement.
*RDP Patcher, for facilitating concurrent RDP sessions.
*Velociraptor, for command-and-control (C2).
*Visual Studio Code and Cloudflare Tunnel, for tunneling C2 communications.
*Yuze, for intranet penetration and establishing a reverse proxy connection to the attacker’s C2 server across HTTP (port 80), HTTPS (port 443), and DNS (port 53).
*Rclone, for data exfiltration.
To counter BYOVD threats, it is best to only use signed drivers from trusted companies. Keep an eye on driver installs and have a strict plan for updating security software, especially those parts with drivers that might be attacked.
“Warlock’s reliance on vulnerable drivers to disable security controls requires a multilayered defense focused on kernel integrity,” Trend Micro said. “Thus, organizations must upgrade from basic endpoint protection to enforcing strict driver governance and real-time monitoring of kernel-level activities.”
