In a significant escalation of cyber warfare tactics, threat actors linked to the notorious Qilin and Warlock ransomware operations have been observed employing the "bring your own vulnerable driver" (BYOVD) technique to systematically disable endpoint security solutions on compromised systems. This sophisticated method, detailed in recent analyses by cybersecurity giants Cisco Talos and Trend Micro, highlights a perilous new frontier in ransomware attacks, where adversaries exploit legitimate, signed drivers to gain kernel-level control and dismantle defenses, rendering traditional security measures ineffective. The findings underscore a critical challenge for organizations in detecting and mitigating advanced persistent threats that operate deep within the operating system.
The Alarming Trend of BYOVD Attacks
The BYOVD technique represents a particularly insidious form of attack. Instead of developing their own malicious kernel drivers, which are notoriously difficult to sign and deploy without triggering immediate security alerts, threat actors leverage existing, legitimate drivers from reputable vendors that contain known vulnerabilities. By "bringing" these drivers to the target system and exploiting their flaws, attackers can execute arbitrary code with elevated privileges, often at the kernel level. This allows them to bypass or completely disable security software, including Endpoint Detection and Response (EDR) solutions, which are designed to detect and prevent such malicious activities. The appeal of BYOVD lies in its ability to circumvent signature-based detection and user-mode security hooks, providing attackers with a stealthy and highly effective means to achieve their objectives. Cisco Talos and Trend Micro’s reports confirm that this technique is no longer an isolated incident but a strategic component of major ransomware campaigns, signaling a dangerous shift in the attacker’s playbook.
Qilin’s Stealthy EDR Kill Chain
Cisco Talos researchers Takahiro Takeda and Holger Unterbrink have meticulously analyzed recent Qilin attacks, revealing a multi-stage infection chain specifically designed to dismantle EDR solutions. At the heart of this chain is a malicious DLL, identified as "msimg32.dll," which is deployed through a DLL side-loading mechanism. This method exploits how legitimate applications load libraries, tricking them into loading the malicious DLL instead of the intended one. Once loaded, "msimg32.dll" initiates a complex sequence of operations aimed at neutralizing security tools.
The sophistication of Qilin’s EDR killer component is evident in its array of evasion techniques. The initial PE loader, responsible for preparing the execution environment, employs several measures to remain undetected. It neutralizes user-mode hooks, which are often used by EDRs to monitor process activities, and suppresses Event Tracing for Windows (ETW) event logs, a crucial source of forensic data for security analysts. Furthermore, the loader takes elaborate steps to conceal control flow and API invocation patterns, making it exceedingly difficult for security solutions to identify its malicious intent through behavioral analysis. As Takeda and Unterbrink noted in their blog, "This secondary payload is embedded within the loader in an encrypted form," indicating a deliberate effort to keep the EDR killer payload hidden until the execution environment is fully prepared. This meticulous approach ensures that the main EDR killer payload is decrypted, loaded, and executed entirely in memory, flying under the radar of many conventional detection mechanisms.
Upon successful launch, the Qilin malware proceeds to leverage the BYOVD technique. While the specific vulnerable drivers were not explicitly detailed in the provided Talos findings, the general mechanism involves exploiting known flaws in legitimate drivers to gain kernel-level access. This allows Qilin to terminate an astonishing array of EDR drivers—over 300 from nearly every major security vendor in the market. The malware’s ability to unregister monitoring callbacks established by EDRs before terminating processes is a testament to its advanced capabilities. "It demonstrates the sophisticated tricks the malware is employing to circumvent or completely disable modern EDR protection features on compromised systems," Talos researchers emphasized, highlighting the critical nature of this defense evasion. This technique has also been observed in conjunction with other prominent ransomware groups, including Akira and Makop, signaling a shared tactic among high-tier cybercriminal operations.
Qilin’s Escalating Threat Landscape
The use of BYOVD by Qilin comes amidst its rapid ascent as one of the most prolific ransomware groups. Statistics compiled by CYFIRMA and Cynet indicate that Qilin has emerged as the most active ransomware group in recent months, claiming hundreds of victims globally. Its impact is particularly pronounced in Japan, where it was linked to 22 out of 134 reported ransomware incidents in 2025, accounting for a significant 16.4% of all attacks. This regional dominance underscores the group’s targeted and effective operations.
According to Talos, Qilin’s initial access typically relies on stolen credentials, a common but highly effective entry vector. Once inside a target environment, the group places considerable emphasis on post-compromise activities, systematically expanding its control and maximizing the potential impact of its attacks. This methodical approach includes extensive reconnaissance, lateral movement, and data exfiltration before the final ransomware payload is deployed. Talos’s analysis reveals a critical timeline: ransomware execution occurred, on average, approximately six days after the initial compromise. This "dwell time" provides a crucial window for organizations to detect and respond to malicious activity before the full devastating impact of a ransomware attack materializes. The implication is clear: early detection and robust incident response capabilities are paramount to preventing the eventual deployment of ransomware.
Warlock’s Persistent Evolution and BYOVD Implementation
Concurrently, the Warlock ransomware group, also known as Water Manaul, continues to evolve its tactics, demonstrating a similar reliance on BYOVD to enhance its evasive capabilities. Trend Micro’s research highlights Warlock’s ongoing exploitation of unpatched Microsoft SharePoint servers, a vulnerability that provides a fertile ground for initial compromise. Following successful breaches, Warlock updates its toolset for enhanced persistence, lateral movement, and, critically, defense evasion.
A notable aspect of Warlock’s updated arsenal is its use of TightVNC for persistent remote control, allowing threat actors to maintain access to compromised systems over extended periods. More alarmingly, Warlock has adopted a legitimate-but-vulnerable NSec driver, "NSecKrnl.sys," in its BYOVD attacks. This driver replaces the "googleApiUtil64.sys" driver used in earlier campaigns, indicating a continuous effort by the group to identify and weaponize new vulnerable drivers. The shift in drivers underscores the dynamic nature of BYOVD attacks, where threat actors constantly adapt to exploit newly discovered vulnerabilities or replace drivers that might have been flagged by security vendors. By leveraging "NSecKrnl.sys," Warlock can terminate security products at the kernel level, effectively blinding EDRs and other endpoint protections.
Observations from a Warlock attack in January 2026 also revealed an expanded set of tools designed for various post-compromise activities. While specific tool names were not provided in the original excerpt, these typically include utilities for network reconnaissance, credential harvesting, privilege escalation, data staging, and exfiltration. Such an extensive toolset allows Warlock to thoroughly prepare a network for encryption, ensuring maximum disruption and leverage for ransom demands. The combination of exploiting unpatched servers, establishing persistent control, and using sophisticated BYOVD techniques positions Warlock as a formidable and evolving threat.
Defending Against Advanced Ransomware and BYOVD Threats
The rise of BYOVD attacks by groups like Qilin and Warlock necessitates a fundamental re-evaluation of cybersecurity strategies. Traditional endpoint protection, while essential, may no longer be sufficient against adversaries capable of operating at the kernel level. Cybersecurity experts universally recommend a multi-layered defense approach that prioritizes kernel integrity and proactive threat hunting.
Key recommendations for organizations to counter BYOVD threats include:
- Strict Driver Governance: Implement stringent policies to only allow signed drivers from explicitly trusted publishers. This involves maintaining a whitelist of approved drivers and blocking any unsigned or unrecognized drivers from loading.
- Monitor Driver Installation Events: Actively monitor and audit all driver installation events. Anomalous driver installations, especially those occurring outside of standard patching or software deployment cycles, should trigger immediate alerts and investigation.
- Rigorous Patch Management: Maintain a comprehensive and rigorous patch management schedule, not only for operating systems and applications but specifically for security software with driver-based components. Vulnerabilities in legitimate drivers are continually discovered, and timely patching is crucial to mitigate their exploitation.
- Advanced EDR and XDR Solutions: Deploy advanced EDR and Extended Detection and Response (XDR) solutions that offer deep visibility into kernel-level activities and can detect behavioral anomalies indicative of BYOVD attacks, even when legitimate drivers are being exploited. These solutions should be capable of detecting unusual driver loading, unexpected process terminations, and modifications to security mechanisms.
- Threat Hunting: Implement proactive threat hunting programs to search for signs of compromise that might bypass automated defenses. This includes looking for indicators of compromise (IoCs) related to known BYOVD techniques and analyzing system logs for subtle anomalies.
- Principle of Least Privilege: Enforce the principle of least privilege across all user accounts and system processes to limit the impact of a successful compromise.
- Network Segmentation and Microsegmentation: Segment networks to restrict lateral movement, even if an attacker gains initial access and disables endpoint security on one host.
- Regular Backups and Recovery Plans: Maintain immutable, offsite backups and regularly test recovery plans to minimize the impact of a successful ransomware attack.
As Trend Micro aptly stated, "Warlock’s reliance on vulnerable drivers to disable security controls requires a multilayered defense focused on kernel integrity." This means organizations must move beyond basic endpoint protection to enforce strict driver governance and real-time monitoring of kernel-level activities. The battle against sophisticated ransomware groups like Qilin and Warlock is an ongoing arms race, demanding continuous vigilance, adaptability, and investment in advanced security technologies and practices. The average six-day dwell time before ransomware deployment, as observed with Qilin, underscores the critical importance of early detection and rapid response to prevent these highly evasive threats from achieving their ultimate destructive objectives.