• Home
  • cyber
  • Cisco Talos Intelligence: Qilin Ransomware Uses Malicious DLL to Disable Nearly All EDR Solutions
cyber Cyber Attack

Cisco Talos Intelligence: Qilin Ransomware Uses Malicious DLL to Disable Nearly All EDR Solutions

Apr 3, 2026 2 min read
Cisco Talos Intelligence: Qilin Ransomware Uses Malicious DLL to Disable Nearly All EDR Solutions

Qilin Ransomware Group Deploys EDR-Blinding Attack Chain

The Qilin ransomware group has introduced a highly advanced, multi-stage infection chain capable of disabling over 300 endpoint detection and response (EDR) solutions before executing its ransomware payload. Discovered by Cisco Talos Intelligence, the attack leverages a malicious DLL file to execute entirely in memory, minimizing forensic traces and evading traditional antivirus defenses.

The attack begins with DLL side-loading, where a legitimate Windows application loads a rogue msimg32.dll instead of the authentic system library. The malicious DLL maintains normal system activity by forwarding legitimate requests to the real library while triggering its hidden payload during initialization. The malware then suppresses security event logging, neutralizes user-mode hooks, and uses structured and vectored exception handling to obscure execution from behavioral scanners. A syscall-scanning technique further bypasses EDR monitoring.

Before deploying its final payload, the malware checks the system’s language settings, crashing if post-Soviet language packs are detected a tactic likely used by Russian-affiliated operators to avoid domestic law enforcement scrutiny. The payload is decrypted and mapped directly into memory using shared memory views, ensuring it never touches the hard drive in an unencrypted state.

Once active, the malware escalates privileges and loads two kernel-level drivers: rwdrv.sys (a renamed legitimate driver) and hlpdrv.sys (a custom malicious driver). These drivers grant direct memory access and terminate protected EDR processes, respectively. By abusing a signed driver, the malware bypasses Windows Driver Signature Enforcement and systematically unregisters over 300 EDR monitoring callbacks, effectively blinding security tools at the kernel level.

To conceal its activity, the malware temporarily disables Windows Code Integrity enforcement, allowing unrestricted kernel modifications before restoring integrity checks to reduce forensic evidence. The attack marks a significant evolution in ransomware tactics, shifting from evasion to the active dismantling of security defenses before payload execution.

Source: https://cyberpress.org/qilin-ransomware-4/

Cisco Talos cybersecurity rating report: https://www.rankiteo.com/company/cisco-talos-intelligence-group

"id": "CIS1775204907",
"linkid": "cisco-talos-intelligence-group",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': 'DLL side-loading',
 'data_breach': {'data_encryption': 'Ransomware payload encrypted in memory'},
 'description': 'The Qilin ransomware group has introduced a highly advanced, '
                'multi-stage infection chain capable of disabling over 300 '
                'endpoint detection and response (EDR) solutions before '
                'executing its ransomware payload. The attack leverages a '
                'malicious DLL file to execute entirely in memory, minimizing '
                'forensic traces and evading traditional antivirus defenses. '
                'The malware suppresses security event logging, neutralizes '
                'user-mode hooks, and uses structured and vectored exception '
                'handling to obscure execution from behavioral scanners. It '
                'also checks the system’s language settings to avoid detection '
                'in post-Soviet regions. The payload is decrypted and mapped '
                'directly into memory, ensuring it never touches the hard '
                'drive in an unencrypted state. The malware escalates '
                'privileges and loads kernel-level drivers to terminate EDR '
                'processes and unregister over 300 EDR monitoring callbacks.',
 'impact': {'operational_impact': 'Disabling of over 300 EDR solutions, '
                                  'potential system compromise'},
 'initial_access_broker': {'entry_point': 'DLL side-loading (msimg32.dll)'},
 'motivation': 'Financial gain (ransomware)',
 'post_incident_analysis': {'root_causes': 'Abuse of legitimate drivers, '
                                           'kernel-level privilege escalation, '
                                           'EDR callback unregistration'},
 'ransomware': {'data_encryption': True, 'ransomware_strain': 'Qilin'},
 'references': [{'source': 'Cisco Talos Intelligence'}],
 'response': {'third_party_assistance': 'Cisco Talos Intelligence'},
 'threat_actor': 'Qilin ransomware group',
 'title': 'Qilin Ransomware Group Deploys EDR-Blinding Attack Chain',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Windows Driver Signature Enforcement bypass via '
                            'signed driver abuse'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.