QILIN and Warlock ransomware operators have been observed using the bring your own vulnerable driver BYOVD technique to silence security tools on compromised hosts, according to Cisco Talos and Trend Micro. Qilin attacks deploy a malicious DLL named msimg32[.]dll that initiates a multi-stage infection chain to disable endpoint detection and response (EDR) solutions, with the DLL loader decrypting and loading the main EDR killer payload in memory.
The malware uses two drivers, rwdrv[.]sys (a renamed ThrottleStop[.]sys) to access physical memory and hlpdrv[.]sys to terminate processes associated with more than 300 EDR drivers from various security vendors. Warlock has also been linked to BYOVD attacks, including the use of a vulnerable NSec driver (NSecKrnl[.]sys) and tools such as TightVNC for persistence, alongside other utilities used for kernel-level termination of security products.
The disclosure notes that Qilin has emerged as highly active, with CYFIRMA and Cynet statistics showing the group linked to a notable share of ransomware incidents in Japan in 2025, underscoring the need for robust driver governance and real-time kernel monitoring.