Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Qilin Ransomware Disables EDR Systems with Malicious DLL

Qilin Ransomware Disables EDR Systems with Malicious DLL

Posted on April 2, 2026 By CWS

The Qilin ransomware group has emerged with a complex infection strategy that leverages a malicious msimg32.dll to neutralize the protection of over 300 endpoint detection and response (EDR) drivers from leading cybersecurity vendors.

As reliance on EDR solutions grows, these systems offer enhanced behavioral insights compared to traditional antivirus software. Cybercriminals have responded by integrating EDR-disabling techniques into their attack plans, allowing them to deploy ransomware without detection.

Known under aliases such as Agenda, Gold Feather, and Water Galura, Qilin has reported over 40 victims monthly, placing it among the most active ransomware-as-a-service (RaaS) entities currently operating.

DLL Sideloading: A Stealthy Approach

Researchers from Cisco Talos have identified that Qilin initiates its attack through DLL sideloading. A trusted application, like FoxitPDFReader.exe, loads the rogue msimg32.dll instead of the legitimate Windows library.

This fraudulent DLL mimics normal operations by redirecting expected API calls to the legitimate msimg32.dll, while executing its harmful code from the DllMain function. The embedded encrypted payload, an EDR killer, undergoes three loading stages, executing entirely in memory to avoid leaving traces on disk.

Advanced Evasion Techniques

The loader incorporates several sophisticated evasion methods to bypass EDR detection. It uses Structured Exception Handling (SEH) and Vectored Exception Handling (VEH) to disguise API call patterns and covertly transition execution phases.

Additionally, the loader suppresses Event Tracing for Windows (ETW), depriving defenders of vital telemetry data. It bypasses hooked APIs using clean syscall stubs from ntdll.dll, without altering the hooked code, and manipulates kernel objects to redirect exception handling.

Anti-debugging strategies further enhance the malware’s stealth, including checks for breakpoints on KiUserExceptionDispatcher, which crash the process if detected. Geo-fencing techniques are also employed, halting the attack if the system locale aligns with specific post-Soviet regions.

Deploying the EDR Killer

Upon delivery, the EDR killer payload loads two kernel helper drivers. The first, rwdrv.sys, a renamed TechPowerUp LLC driver, facilitates direct kernel manipulation by exploiting its IOCTLs for memory and configuration access.

The second, hlpdrv.sys, targets protected EDR processes, terminating them with specific IOCTL codes, bypassing Windows protection mechanisms. This capability stems from its ability to write to physical memory, unregistering EDR monitoring callbacks at the kernel level.

By temporarily altering the CiValidateImageHeader callback, the malware disables Code Integrity checks during its operation, restoring the callback post-attack to minimize forensic evidence.

Cisco Talos emphasizes that while these methods are not entirely new, they are effective against inadequately configured defense systems. Organizations must remain vigilant for signs of DLL sideloading, unexpected driver deployments, and unauthorized physical memory access from user-mode applications.

For comprehensive cybersecurity coverage, follow us on Google News, LinkedIn, and X. Reach out to share your cybersecurity stories.

Cyber Security News Tags:Cisco Talos, cyber threats, Cybersecurity, DLL Sideloading, EDR solutions, endpoint protection, Malware, Qilin ransomware, ransomware attack, ransomware-as-a-service, security vendors

Post navigation

Previous Post: Ransomware Campaign Mimics Akira in South America
Next Post: OpenSSH 10.3 Addresses Key Security Vulnerabilities

Related Posts

SparkKitty Malware Attacking iOS and Android Users to Steal Gallery Images SparkKitty Malware Attacking iOS and Android Users to Steal Gallery Images Cyber Security News
Trend Micro Apex One Vulnerabilities: Critical Threats Uncovered Trend Micro Apex One Vulnerabilities: Critical Threats Uncovered Cyber Security News
Critical NGINX Flaw Risks Remote Code Execution Critical NGINX Flaw Risks Remote Code Execution Cyber Security News
Kali Linux 2025.3 Released With New Features and 10 New Hacking Tools Kali Linux 2025.3 Released With New Features and 10 New Hacking Tools Cyber Security News
50,000+ Azure AD Users Access Token Exposed From Unauthenticated API Endpoint 50,000+ Azure AD Users Access Token Exposed From Unauthenticated API Endpoint Cyber Security News
CISA Warns of FortiCloud SSO Authentication Bypass Vulnerability Exploited in Attacks CISA Warns of FortiCloud SSO Authentication Bypass Vulnerability Exploited in Attacks Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark