How was the defense system disabled? Inside the campaign of Qilin & Warlock

Summary of the campaign

Two notorious Ransomware-as-a-Service (RaaS) groups, Qilin and Warlock (also known as Water Manual), are independently deploying the "Bring Your Own Vulnerable Driver" (BYOVD) technique at the Kernel level. Their goal is to proactively "kill" Endpoint Detection and Response (EDR) processes before releasing the encryption payload. Research confirms these toolkits can disable over 300 EDR drivers from nearly all major security vendors in the market today. The alarming level of the Qilin campaign is demonstrated by real data: In 2025, ransomware incidents in Japan increased by 17.5%, with Qilin accounting for the largest share at 16.4% of total infections, heavily targeting the manufacturing and automotive sectors. The weaponization of BYOVD, once the privilege of Nation-State APT groups, has now been commercialized for financial interest groups.

The most urgent action for every organization: Immediately enable Hypervisor-protected Code Integrity (HVCI - Memory Integrity) and promptly update the Microsoft Vulnerable Driver Blocklist across all Windows partitions.

Hacker Group Profile

Behind this large-scale BYOVD campaign are two independent underground organizations with formidable capabilities: Qilin Group: A RaaS (Ransomware-as-a-Service) gang suspected to be based in the Post-Soviet region. The clearest evidence is their EDR Killer module, which integrates "Geo-fencing" to prevent malware activation on systems using languages from this region, helping them evade local sanctions. Currently, Qilin has become the most notorious malware operator, with a significant increase in ransomware victims, notably causing the largest share of attacks in Japan in the first half of 2025. Warlock Group (or Water Manual): A RaaS gang that exploits a ransomware branch derived from LockBit (distributing encryption payloads with the .x2anylock extension). Warlock's distinctive behavior involves exploiting delays in Microsoft SharePoint server patching by administrators and patiently "lying in wait" for up to 15 days to fully capture Domain Controller configurations before launching widespread encryption attacks via GPO.

Preliminary Timeline

Pre-launch: Qilin extracts stolen credentials on the Darknet or Breach Forums. Warlock exploits unpatched public Microsoft SharePoint servers.

Dwell Time: From the start of infiltration to encryption deployment, Qilin takes an average of about 6 days. Meanwhile, the Warlock group is willing to lie in wait for up to 15 days to extract data and set up GPO scenarios before attacking.

Execution: Launch BYOVD driver to disable EDR, encrypt, and establish a double extortion model.

Kill Chain & Attack Flow

Stage 1: Initial Access

Qilin: Gains access through vulnerabilities in internet-facing services, phishing, or credentials submitted on the dark web. Warlock: Exploits unpatched vulnerabilities in Microsoft SharePoint services.

Stage 2: Execution & Persistence

Qilin: Uses the legitimate FoxitPDFReader.exe to side-load a malicious DLL, msimg32.dll. Warlock: Deploys a web shell to open a C2 channel and uses the TightVNC tool disguised as a default Windows Service to maintain network persistence.

Stage 3: Defense Evasion & Credential Access

Qilin: Disrupts Event Tracing for Windows (ETW) monitoring, applies Halo's Gate mechanism to bypass API syscall hooks, then drops the kernel driver hlpdrv.sys to disable EDR. Warlock: Injects NSecKrnl.sys to run covertly under the kernel to freeze EDR, then deploys Rclone disguised as fake security files (TrendSecurity.exe) to exfiltrate data through a backdoor.

Stage 4: Impact (Ransomware Execution)

Qilin encrypts files using open standards. In contrast, Warlock configures widespread encryption through Active Directory GPO, deploying payloads to SYSVOL/NETLOGON folders and forcing victim machines to execute them upon reboot. Locked files have the extension .x2anylock.

Detailed technical analysis

The core change in these new campaigns is the Kernel-level EDR Killer sequence.

Qilin's In-Memory bypass mechanism: Unlike crude process-stopping methods (easily detected), Qilin uses a highly complex DLL loading chain (msimg32.dll). The most dangerous aspect is that this entire sequence is executed in RAM (In-Memory) to evade all hard drive scanners, proceeding in four stages:

Stage 1 — DLL Search Order Hijacking: The attacker drops a fake msimg32.dll file in the same directory as the legitimate PDF reader software (e.g., FoxitPDFReader.exe). When an administrator or the system runs the PDF software, Windows is tricked into loading the fake DLL instead of the original system file. To avoid suspicion from software crashes, the malicious DLL silently forwards all legitimate responses back to the genuine msimg32.dll file located in C:\Windows\System32\.

Stage 2 — Decryption and Evasion in RAM (Multi-Stage In-Memory Loader): Next, the malware self-extracts through three consecutive processes in temporary memory (without touching the disk). To counter advanced defense mechanisms, it deploys a perfect shield: Disabling Windows' default logging system (ETW suppression) to block signals, using the "Halo's Gate" method to bypass operating system syscall hooks, and intricately disguising the execution flow (through SEH/VEH obfuscation) to frustrate any reverse engineer sweating over RAM garbage analysis. Stage 3 — Deploying EDR Killer (BYOVD Deployment): Only when the anonymous shields are fully deployed does the payload in RAM quietly drop exactly two driver files into the %TEMP% directory. The first file is rwdrv.sys — a wrapper for the ThrottleStop.sys driver (trusted third-party signed but with severe privilege management flaws), allowing the application to read/write directly to the CPU's original configuration structure. The second file is hlpdrv.sys, which "borrows" elevated privileges from the first file to directly execute termination commands on self-defense processes in security applications.

Stage 4 — Silent EDR "Massacre": Qilin doesn't kill EDR overtly. Before pulling the plug, the malicious driver quietly removes all "security cameras" (EDR monitoring callbacks) embedded in the OS core by security software. The EDR process becomes blind from within and shuts down, unable to send any shutdown alerts to the central server (SOC). Once the protective shield completely vanishes, the ransomware begins its file encryption massacre.

Warlock's BYOVD Mechanism: On another front, instead of using the old driver googleApiUtil64.sys like earlier this year, Warlock has now switched to the upgraded NSecKrnl.sys. The strategy to deceive EDR involves stealth tactics by directly renaming the malicious file to "TrendFileSecurityCheck.exe." This art of blending into a fabricated environment (disguising as a legitimate scanning process of Trend Micro software) makes it easier for signal analysis software to overlook the tampered data flow.

IOCs

Malicious files (SHA-256 Hash)

7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497

16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0

bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56

Network Indicators (C2)

198[.]13[.]158[.]193

MITRE ATT&CK Mapping

TA0001 - Initial Access: T1190 (Exploit Public-Facing Application) - Targeting SharePoint. TA0002 - Execution: T1569.002 (Service Execution) - Launch Windows Services. TA0003 - Persistence: T1543.003 (Windows Service) - TightVNC installed via PsExec. TA0005 - Defense Evasion: T1574.002 (DLL Side-Loading), T1068 (Exploitation for Privilege Escalation - BYOVD), T1562.001 (Disable or Modify Tools - Disable EDR driver). TA0011 - Command and Control: T1090.003 (Multi-hop Proxy) - Using SOCKS5 Yuze, VS Code tunnel, Cloudflare Tunnel.

Expert opinion

These attacks shatter the false belief that having an expensive EDR product is enough to protect an endpoint. By exploiting a harmless driver file (like ThrottleStop) with a design flaw in memory permissions (paving the way for BYOVD), current RaaS malware can instantly lock down an entire EDR pipeline without the SOC center receiving any incident logs. A dwell time of 6 to 15 days in this campaign highlights a significant vulnerability in "Pre-Ransomware Detection." If the SOC team cannot detect unusual behaviors, such as continuous net user /add commands running in the early morning, the RaaS group will treat these privileges as a free testing ground for DLL injection chains. Furthermore, RaaS has officially elevated the technical capability of a ransomware attack to the level of nation-state attacks.

Recommendation

Immediate (0-24 hours)

Immediately enable Hypervisor-Protected Code Integrity (HVCI - Memory Integrity) on all Windows endpoints (located in Windows Security > Device Security > Core Isolation). HVCI is the most crucial barrier to stop the embedding of rwdrv.sys or NSecKrnl.sys files.
Deploy Windows Defender Application Control (WDAC) and import the Microsoft Vulnerable Driver Blocklist.

Short-term (1-7 days)

Create internal alert rules (EDR/SIEM/Sysmon): Flag any process calling the msimg32.dll file that is outside the C:\Windows\System32 directory. Side-loading often occurs through FoxitPDFReader.exe or 7-Zip.
Activate alert rules when a new system service is installed (Event ID 7045) or there is a driver load error (Event ID 219) related to the %TEMP%, SYSVOL areas. Specifically, configure Sysmon to scan for Event ID 6 (DriverLoad).

Long-term

Strictly manage Group Policy infrastructure. Warlock's AD ransomware scenario relies entirely on writing payloads to the SYSVOL directory to force the Domain Controller to overwrite ransomware onto client branches. Transition to a Tiered administration model to reduce the blast radius in a compromised environment.
Ensure prompt patching of web applications, particularly on Microsoft SharePoint.