Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Cisco Talos and Trend Micro have found evidence that hackers are using the "bring your own vulnerable driver" (BYOVD) method to turn off security tools on compromised hosts This article explores soon possible ransomware. . Qilin attacks use a bad DLL called "msimg32.dll" to start a multi-stage infection chain that stops endpoint detection and response (EDR) solutions from working.

The DLL, which is launched through DLL side-loading, can kill more than 300 EDR drivers from different security companies on the market. Trend Micro says that to protect against BYOVD threats, you should only allow signed drivers from publishers you trust, keep an eye on driver installation events, and stick to a strict patch management schedule for updating security software.

The cybersecurity company also said that ransomware usually runs about six days after the first compromise. This shows how important it is for businesses to find out about bad behavior as soon as possible so that ransomware doesn't get deployed. The group is connected to 22 of the 134 ransomware attacks that were reported in Japan in 2025, which is about 16.4% of all attacks.

The following tools were seen during the Warlock attack in January 2026: PsExec for moving sideways. RDP Patcher makes it easier to have multiple RDP sessions at the same time. Velociraptor for command and control (C2). For tunneling C2 communications, use Visual Studio Code and Cloudflare Tunnel.

Yuze for breaking into the intranet and setting up a reverse proxy connection to the attacker's C2 server over HTTP (port 80), HTTPS (port 443), and DNS (port 53). Rclone for taking data out.

To get help without anyone knowing, call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/. If you need help in the U.S., call the Samaritans at 08457 90 90 90 or go to a Samaritans branch near you.