Qilin's EDR Killer Can Blind 300+ Security Tools — Here's How It Works

Qilin's EDR Killer Can Blind 300+ Security Tools — Here's How It Works

Cisco Talos dropped a detailed analysis today of something defenders need to understand fast: the Qilin ransomware group is deploying an EDR killer that doesn't just crash your security stack — it surgically dismantles it from the inside, then wipes the evidence.

The payload is a malicious DLL called `msimg32.dll`. If that filename looks familiar, it should — it's a legitimate Windows system library used for image rendering. Qilin side-loads their version into a legitimate application that imports from `msimg32.dll`, so the malware executes the moment that application loads. No user prompt. No obvious process launch.

What It Actually Does

This isn't a blunt-force tool. It's a multi-stage infection chain with a specific goal: get into kernel space, kill your EDR, and do it without triggering a single alert in the process.

Stage 1: The loader. The malicious DLL starts by building what Talos calls a "slot-policy table" — a classification map of every `Nt*` syscall stub in `ntdll.dll`. It marks specific functions for special handling, including `NtTraceEvent` and `NtTraceControl` — the mechanisms Windows uses to send telemetry to tools like your EDR. Then it overwrites the exception handler dispatcher slot in `.mrdata` with its own custom handler. From that point forward, every exception in the process goes through Qilin's code first.

The loader uses this to suppress Event Tracing for Windows (ETW) output entirely and neutralize user-mode API hooks — the two main techniques most EDRs use to monitor process behavior. By the time any payload runs, the EDR is essentially flying blind.

Stage 2: The payload. The actual EDR killer is embedded inside the loader, encrypted. It only decrypts and executes in memory — no file ever touches disk in a form that signature detection would recognize. Once active, it loads two kernel drivers:

  • `rwdrv.sys` — provides direct read/write access to physical memory
  • `hlpdrv.sys` — handles process termination at the kernel level

Before loading the termination driver, the malware unregisters the EDR's kernel monitoring callbacks. This prevents the EDR from detecting or blocking its own murder.

The result: the tool can disable over 300 different EDR drivers across nearly every vendor on the market. Sophos has been tracking an earlier version of this loader under the name "Shanya."

The Trend Behind This

This isn't an isolated technique. CybrPulse tracked 776 articles covering EDR bypass, disabling, or killing techniques in the past 30 days across our feed — and the volume is climbing. In the first week of March we tracked around 100 such items. By the week of March 23, that hit 205. EDR evasion has moved from a specialized skill to standard ransomware tradecraft.

The logic is straightforward: EDR tools are good now. They catch a lot. So attackers don't try to sneak past them anymore — they take them offline first. Qilin's chain is one of the more sophisticated implementations of this approach, but the underlying strategy is everywhere.

What This Means for Defenders

A few specific things to look for:

DLL side-loading via `msimg32.dll`. Legitimate applications that import this DLL should not be loading it from non-system paths. If you see `msimg32.dll` loading from an application directory rather than `C:\Windows\System32`, that's a problem. Hunt for it.

Driver loads from unexpected processes. The EDR killer loads `rwdrv.sys` and `hlpdrv.sys` at runtime. Both are known and should be blocking candidates in any kernel driver allowlisting setup. If you're not controlling which drivers can load via Windows Defender Application Control (WDAC) or similar, you're exposed.

ETW tampering. Overwriting the exception dispatcher in `.mrdata` is detectable if you're monitoring for it. Most EDRs do watch for this — but if your EDR is already compromised, you're relying on whatever out-of-process telemetry you have: network logs, NDR, SIEMs fed from sources the local endpoint can't touch.

Lateral detection. If an EDR goes silent across a machine suddenly, treat it as an incident, not a service hiccup. Ransomware actors are counting on ops teams dismissing telemetry gaps as update noise.

The Bigger Picture

Qilin has been active since at least 2022 and picked up significant momentum in 2025 after targeting healthcare and critical infrastructure. The EDR killer component is part of a broader maturation — this group has moved from spray-and-pray ransomware to targeted, technically sophisticated attacks where disabling defenses is a first-class objective, not an afterthought.

Talos notes the campaign had been previously reported at a surface level by multiple vendors, but today's analysis is the first detailed breakdown of the infection chain mechanics — the SEH/VEH tricks, the `.mrdata` overwrite, the slot-policy table. That level of sophistication in a commodity ransomware group should concern anyone who assumed their EDR was sufficient protection on its own.

Defense-in-depth isn't a buzzword here. If the endpoint protection layer can be systematically removed, everything downstream of it has to be positioned to detect the attack anyway.


*CybrPulse tracks over 40,000 security sources daily. Data cited reflects coverage in the CybrPulse threat intelligence feed through April 2, 2026.*

Read more