When Your EDR Goes Blind: Inside Qilin's EDR Killer — and How CyberCyte Stops It

Qilin ransomware has evolved a multi-stage attack that silences 300+ EDR products before detonating. Here is exactly how it works — and where CyberCyte breaks the chain.

Qilin, also known as Agenda, has become the single most prolific ransomware brand by data leak volume in 2025. It has claimed hundreds of victims across healthcare, financial services, critical infrastructure, and manufacturing. But what makes Qilin truly dangerous in 2026 is not its encryption payload. It is what happens in the six days before encryption, a sophisticated, silent campaign to disable every security tool standing in its way.

The Core Problem

Qilin now deploys a custom EDR killer that can disable over 300 endpoint detection and response products from virtually every major security vendor — including CrowdStrike, SentinelOne, Microsoft Defender, Palo Alto Cortex XDR, and more. Once your EDR is blind, the ransomware runs without resistance.

This blog explains exactly how the Qilin EDR killer works at a technical level, and maps each stage of the attack chain to the CyberCyte platform capabilities that detect and disrupt it.

How the Qilin EDR Killer Works

Cisco Talos researchers analysed multiple Qilin intrusions and identified a sophisticated multi-stage infection chain that executes entirely before ransomware is deployed. It is built to avoid detection at every layer.

The Six-Stage Attack Chain

1. Initial Access via Stolen Credentials

Qilin gains entry through stolen credentials, typically obtained via phishing, credential-stuffing, or purchased from initial access brokers on dark web markets. The attacker is quiet, patient, and begins reconnaissance immediately after access.

2. DLL Side-Loading: Planting the Weapon

A malicious msimg32.dll is dropped into the path of a legitimate Windows application. When that application launches, Windows loads the rogue DLL instead of the genuine system library, a technique known as DLL side-loading. To avoid suspicion, the malicious DLL forwards all API calls to the legitimate msimg32.dll in C:\Windows\System32.

3. Anti-Detection: Going Dark Before Striking

Embedded within the malicious DLL is an encrypted EDR killer payload that passes through three loader stages before execution. Each stage employs advanced evasion: ETW (Event Tracing for Windows) is suppressed at runtime, depriving defenders of behavioural telemetry. SEH/VEH-based control flow obfuscation conceals API invocation patterns. User-mode hooks from EDR products are neutralised. The final payload is decrypted and executed entirely in memory. It never touches disk in decrypted form.

4. BYOVD: Loading a Legitimate Weapon

Two legitimately signed, vulnerable drivers are deployed. rwdrv.sys (a renamed ThrottleStop.sys signed by TechPowerUp LLC) and hlpdrv.sys. Because these carry valid digital signatures, Windows Driver Signature Enforcement does not block them. rwdrv.sys exposes powerful IOCTLs for direct physical memory read/write, bypassing all protected memory controls. hlpdrv.sys is used to terminate protected EDR processes via IOCTL code 0x2222008, bypassing Windows process protection.

5. Kernel Callback Destruction: Blinding 300+ EDR Products

Using physical memory writes through rwdrv.sys, the EDR killer iterates through a hardcoded list of over 300 EDR driver names and unregisters their kernel monitoring callbacks — the hooks that allow EDR products to observe process creation, thread creation, and image loading. Without these callbacks, EDR products are blind. They continue running but see nothing.

6. Code Integrity Disabled — Then Ransomware Detonated

The malware temporarily overwrites the CiValidateImageHeader kernel callback to disable Windows Code Integrity enforcement while it operates, then restores it to reduce forensic traces. On average, six days after initial access, ransomware is deployed and data exfiltration begins. By this point, most organisations have no visibility and no defence.

Why Traditional Security Fails Against Qilin

Qilin’s EDR killer is engineered specifically to defeat the conventional security stack.

EDR tools are the primary targets, and they are disabled before they can alert on anything.
Traditional vulnerability scanners only see known assets and scheduled scans.
SIEM platforms rely on ETW telemetry, which Qilin suppresses at the point of collection.
Driver allowlisting solutions cannot block BYOVD attacks that use legitimately signed drivers.
Annual penetration tests and quarterly assessments provide no visibility into a six-day pre-ransomware dwell period.

The result is an attack specifically designed to exploit the gaps between your security tools, and the time between your assessments.

How CyberCyte Detects and Disrupts the Qilin Attack Chain

CyberCyte’s X-CTEM Platform operates continuously across 500+ artefact types, including the specific threat signals that characterise the Qilin attack chain.

01. DLL Allowlisting and Anomaly Detection

CyberCyte continuously monitors for DLL anomalies across every endpoint. Malicious DLL side-loading, including a rogue msimg32.dll, is detected through behavioural analysis.

02. Software Library and Driver Vulnerability Tracking

CyberCyte tracks software library vulnerabilities and driver inventories continuously. Known vulnerable drivers are detected through inventory assessment and CVE correlation.

03. Security Agent Validation

CyberCyte continuously validates the health and operational status of critical security agents including EDR, DLP, PAM, and logging tools on every endpoint.

04. ETW and PowerShell Log Consolidation

CyberCyte consolidates PowerShell execution logs and Windows event telemetry through its agent independently of ETW.

05. Continuous Internal Attack Surface Testing

CyberCyte identifies privilege escalation paths, weak authentication controls, and misconfigured service accounts before attackers exploit them.

06. AI-Driven Prioritisation

CyberCyte correlates weak signals across endpoints and time, recognising the pattern of a pre-ransomware campaign before analysts connect the dots.

What Happens If the EDR Is Already Disabled?

Because CyberCyte operates independently of your EDR using its own agent, its own kernel-level telemetry collection, and its own artefact analysis, the disabling of your EDR does not blind CyberCyte.

CyberCyte is not on Qilin’s list of 300+ targeted products.

The Bigger Picture: CTEM as a Defence Strategy

Qilin’s six-day dwell time before ransomware detonation is deliberate. They use that time to map your environment, disable your defences, and maximise damage.

The organisations that stop Qilin are not the ones with the best EDR. They are the ones that detect the pre-ransomware activity during that window.

What Your Organisation Should Do Now

Audit your DLL inventory.
Review your driver inventory.
Validate EDR agent health across every endpoint.
Test your incident response readiness.
Implement continuous threat exposure management.

Is Your Environment Exposed to Qilin?

CyberCyte can assess your environment for the specific artefacts and misconfigurations that Qilin and similar ransomware groups exploit — including DLL anomalies, vulnerable drivers, and security agent gaps.

Request a Free Threat Exposure Assessment
www.cybercyte.com

CyberCyte Blog