Qilin Ransomware Deploys Advanced EDR-Killing Attack Chain
The Qilin ransomware group, also known as Agenda, Gold Feather, and Water Galura, has escalated its tactics with a sophisticated multi-stage infection chain designed to disable over 300 endpoint detection and response (EDR) drivers from major security vendors. As organizations increasingly rely on EDR solutions for behavioral monitoring, threat actors have adapted by targeting these defenses to evade detection before deploying ransomware.
Cisco Talos researchers uncovered the attack, which begins with DLL sideloading a legitimate application like FoxitPDFReader.exe loads a malicious msimg32.dll in place of the genuine Windows library. The rogue DLL mimics normal behavior by forwarding API calls to the real library while executing malicious logic from its DllMain function. An encrypted EDR killer payload is embedded within, progressing through three loader stages entirely in memory to avoid disk-based detection.
The loader employs advanced anti-detection techniques, including:
- SEH/VEH-based control flow obfuscation to conceal API calls.
- ETW suppression to neutralize Windows event tracing.
- Halo’s Gate syscall bypass to evade EDR hooks by repurposing unhooked syscall stubs.
- Kernel object manipulation to redirect exception handling.
- Anti-debugging measures that crash the process if breakpoints are detected.
- Geo-fencing to avoid execution in post-Soviet countries, a tactic linked to Russian-affiliated ransomware.
Once the final payload (Stage 4) is delivered, the EDR killer deploys two kernel-level drivers:
- rwdrv.sys (a renamed ThrottleStop.sys), which enables physical memory manipulation via exposed IOCTLs.
- hlpdrv.sys, used to terminate protected EDR processes.
The malware then disables EDR visibility by unregistering kernel callbacks for process, thread, and image loading events. It also temporarily disables Code Integrity enforcement by overwriting the CiValidateImageHeader callback, reducing forensic traces.
Qilin, one of the most active ransomware-as-a-service (RaaS) operations, has claimed over 40 victims per month, demonstrating that targeting security defenses before ransomware deployment is now a standard tactic. While these techniques are not entirely new, their effectiveness underscores the need for multi-layered defenses to detect suspicious DLL sideloading, unexpected driver installations, and unauthorized physical memory writes.
Source: https://cybersecuritynews.com/qilin-ransomware-kill-edr/
Foxit cybersecurity rating report: https://www.rankiteo.com/company/foxit-corporation
"id": "FOX1775147113",
"linkid": "foxit-corporation",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'attack_vector': 'DLL sideloading',
'data_breach': {'data_encryption': 'Yes (ransomware payload)'},
'description': 'The Qilin ransomware group has escalated its tactics with a '
'sophisticated multi-stage infection chain designed to disable '
'over 300 endpoint detection and response (EDR) drivers from '
'major security vendors. The attack begins with DLL '
'sideloading, using legitimate applications like '
'FoxitPDFReader.exe to load a malicious msimg32.dll. The rogue '
'DLL employs advanced anti-detection techniques, including '
'SEH/VEH-based control flow obfuscation, ETW suppression, '
'Halo’s Gate syscall bypass, kernel object manipulation, '
'anti-debugging measures, and geo-fencing. The final payload '
'deploys kernel-level drivers to terminate protected EDR '
'processes and disable EDR visibility by unregistering kernel '
'callbacks and temporarily disabling Code Integrity '
'enforcement.',
'impact': {'operational_impact': 'Disabling of EDR solutions, evasion of '
'detection mechanisms'},
'initial_access_broker': {'entry_point': 'DLL sideloading via '
'FoxitPDFReader.exe'},
'lessons_learned': 'Targeting security defenses before ransomware deployment '
'is now a standard tactic. Multi-layered defenses are '
'needed to detect suspicious DLL sideloading, unexpected '
'driver installations, and unauthorized physical memory '
'writes.',
'motivation': 'Financial gain (Ransomware-as-a-Service)',
'post_incident_analysis': {'corrective_actions': 'Enhance detection of DLL '
'sideloading, monitor for '
'unexpected driver '
'installations, and '
'implement protections '
'against kernel-level '
'manipulation.',
'root_causes': 'DLL sideloading, exploitation of '
'legitimate applications, advanced '
'anti-detection techniques'},
'ransomware': {'data_encryption': 'Yes',
'ransomware_strain': 'Qilin (Agenda)'},
'recommendations': 'Implement multi-layered defenses to detect DLL '
'sideloading, unexpected driver installations, and '
'unauthorized physical memory writes. Monitor for '
'geo-fencing and anti-debugging behaviors.',
'references': [{'source': 'Cisco Talos'}],
'response': {'third_party_assistance': 'Cisco Talos researchers'},
'threat_actor': 'Qilin (Agenda, Gold Feather, Water Galura)',
'title': 'Qilin Ransomware Deploys Advanced EDR-Killing Attack Chain',
'type': 'Ransomware'}