Back to threat alerts

Qilin Ransomware Group

The Qilin ransomware group has recently emerged as one of the most active ransomware operations, executing highly sophisticated campaigns that leverage the "Bring Your Own Vulnerable Driver" (BYOVD) technique. This method is used to systematically disable or bypass endpoint detection and response (EDR) solutions. By side-loading a malicious dynamic-link library (DLL) named msimg32.dll, Qilin initiates a complex, multi-stage infection chain capable of blinding and terminating over 300 different EDR drivers from nearly every security vendor on the market. The group typically gains initial access via stolen credentials and operates methodically, deploying the ransomware payload an average of six days after the initial compromise to maximise impact.

Threat alert
April 8, 2026

Qilin’s attack sequence begins when a legitimate application is manipulated into side-loading a malicious version of msimg32.dll. This DLL functions as a sophisticated PE loader that unpacks an encrypted EDR killer payload entirely within the system's memory. To successfully evade detection during this process, the loader neutralises user-mode hooks, suppresses Event Tracing for Windows (ETW) event logs, and obscures its control flow using structured and vectored exception handling (SEH/VEH). It also utilises a syscall recovery technique to bypass hooked system calls without altering the actual hooked code.

Notably, the loader incorporates a geofencing check early in its execution; if it detects a system locale matching a list of post-Soviet countries, it deliberately crashes itself to avoid infecting those regions.

Once the EDR killer payload (Stage 4) is decrypted and active, it elevates privileges and loads two critical helper drivers to neutralise the host's defences:

  1. rwdrv.sys: A renamed, legitimately signed version of the ThrottleStop.sys driver. It acts as a kernel-mode hardware access layer, abusing IOCTL handlers to gain direct read and write access to the system's physical memory.
  1. hlpdrv.sys: A driver explicitly used to terminate the processes of over 300 targeted EDR products. Before executing this driver, the malware unregisters the monitoring callbacks established by the local EDR solution, allowing the termination to proceed without interference.
Mitigations:

To defend against Qilin's advanced evasion techniques and initial access methods, organisations should implement the following mitigations:

  • Block Known Vulnerable Drivers: Utilise industry-standard vulnerable driver blocklists and update your organisation's application control policies to strictly prevent the loading of explicitly known vulnerable drivers, such as the abused ThrottleStop.sys variants, across whatever endpoint security platform you have deployed.
  • Kernel-Level Integrity Checks: Enforce strict driver governance and real-time monitoring of kernel-level activities, ensuring that only signed, explicitly trusted drivers from verified publishers are permitted to install.
  • Monitor Driver Installations: Implement rules to monitor and alert on anomalous driver installation events or the unexpected loading of .sys files, particularly when executed from temporary or unconventional directories.
Recommendations:
  • Adopt a Multi-Layered Defence: As determined adversaries can increasingly bypass single-point EDR solutions, a defence-in-depth approach is vital. Organisations must not rely solely on one cybersecurity product to detect malicious behaviour.
  • Enforce Strict Credential Hygiene: Because Qilin primarily breaches target environments using stolen credentials, enforce Multi-Factor Authentication (MFA) across all external-facing services, VPNs, and remote access portals.
  • Reduce Dwell Time: Qilin typically spends roughly six days expanding control before executing the ransomware payload. Security teams should focus on identifying early indicators of compromise, such as lateral movement, anomalous process termination, or ETW suppression, to disrupt the attack before encryption occurs.
  • Maintain Rigorous Patch Management: Ensure all security software and operating systems are consistently up to date, with a particular focus on patching or restricting driver-based components that adversaries might exploit for BYOVD attacks.