By rssfeeds-admin 
Discovered and analyzed by Cisco Talos Intelligence, the attack weaponizes a malicious DLL file to execute its payload entirely in memory, leaving minimal forensic traces and bypassing conventional antivirus defenses.
A Rogue DLL at the Core
The attack begins with a classic DLL side-loading technique. A legitimate Windows application inadvertently loads a malicious “msimg32.dll” file instead of the genuine Windows system library.
To avoid raising immediate suspicion, the rogue DLL forwards all normal application requests to the real library, maintaining the appearance of legitimate system activity.
Once loaded, the malware triggers its hidden payload from the DLL’s initialization function, launching a complex evasion chain.
The custom loader suppresses security event logging, neutralizes standard user-mode hooks, and leverages both structured exception handling (SEH) and vectored exception handling (VEH) to obscure execution flow from behavioral scanners.
A specialized syscall-scanning technique is also used to identify clean system calls, entirely bypassing any behavioral monitoring established by local EDR software.
Before deploying its final payload, the malware performs basic geo-fencing by checking the compromised system’s language settings.
If post-Soviet language packs are detected, the process intentionally crashes as a deliberate move to avoid infecting systems in those regions.
This is a common tactic among Russian-affiliated ransomware operators designed to evade law enforcement attention domestically.
The final payload is then decrypted and mapped directly into system memory using shared memory views, ensuring the EDR killer never touches the hard drive in an unencrypted state, a technique that renders traditional file-based detection entirely ineffective.
Once the payload is active, the malware escalates privileges to the administrative level and loads two kernel-level helper drivers to dismantle security tools from the inside out.
| Driver | Original Source | Primary Function |
|---|---|---|
| rwdrv.sys | Renamed “ThrottleStop.sys” | Grants direct read/write access to physical memory |
| hlpdrv.sys | Custom malicious driver | Terminates protected EDR processes and disables AV software |
By abusing a legitimately signed driver (rwdrv.sys), the malware bypasses Windows Driver Signature Enforcement.
It then iterates through a hardcoded list of over 300 targeted EDR drivers, systematically unregistering their monitoring callbacks for critical system events, process creation, thread creation, and image loading, effectively blinding EDR tools at the kernel level.
To cover its tracks, the malware temporarily disables Windows Code Integrity enforcement by overwriting specific kernel validation functions.
This creates a vulnerability window during which it freely modifies kernel structures without triggering crashes or security alerts.
Once EDR software is fully neutralized, the malware restores the original integrity checks to reduce forensic evidence, allowing the Qilin ransomware payload to execute undetected.
The campaign underscores a dangerous shift in attacker strategy: rather than simply evading defenses, modern ransomware groups are now actively dismantling the security layer itself before deploying their final payload.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Qilin Ransomware Uses Malicious DLL to Disable Nearly All EDR Solutions appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.