Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
MysteriousElephant APT Group aka APT-K-47 – Active IOCs
April 1, 2026
How-AI-SecOps-Strengthens-Security-Operations-for-Modern-Enterprise
How AI SecOps Strengthens Security Operations for Modern Enterprises
April 8, 2026

Qilin Ransomware Uses DLL to Bypass Most EDRs – Active IOCs

Severity

High

Analysis Summary

Qilin, also known as Agenda, Gold Feather, and Water Galura, is a highly active ransomware-as-a-service (RaaS) operation, claiming over 40 victims monthly. The group has developed a sophisticated, multi-stage attack chain leveraging a malicious msimg32.dll that can disable more than 300 endpoint detection and response (EDR) drivers from nearly all major security vendors. By targeting EDR solutions, which offer deeper behavioral monitoring than traditional antivirus, Qilin ensures it can operate undetected long enough to deliver its ransomware payload. The operation demonstrates a deliberate shift toward neutralizing defense mechanisms before deploying ransomware, making multi-layered security essential for organizations.

The initial infection relies on DLL sideloading, where a legitimate application, such as FoxitPDFReader.exe, loads the malicious DLL instead of the authentic Windows library. The rogue DLL forwards legitimate API calls to the real msimg32.dll to avoid detection while executing its malicious logic from the DllMain function. Embedded within is an encrypted EDR killer payload, which progresses through three loader stages, ultimately executing entirely in memory without touching disk. Advanced anti-detection techniques, including SEH/VEH-based control flow obfuscation, ETW suppression, syscall bypass using Halo’s Gate, kernel object manipulation, and anti-debugging measures, allow the malware to blind EDR products before they can raise alerts. Geo-fencing further ensures the malware avoids execution in post-Soviet regions.

The final payload, delivered in Stage 4, includes a powerful EDR killer that loads two kernel-level drivers: rwdrv.sys, a renamed legitimate driver exploited to read/write physical memory and manipulate kernel structures, and hlpdrv.sys, which terminates protected EDR processes. The malware iterates through a hardcoded list of over 300 EDR drivers, unregistering monitoring callbacks for process, thread, and image-loading events at the kernel level. It also temporarily disables Code Integrity enforcement by overwriting the CiValidateImageHeader callback, ensuring ransomware execution with minimal forensic traces before restoring the original state.

Researcher emphasizes that while many techniques used by Qilin are not entirely novel, they remain highly effective against unprepared defenses. Organizations should actively monitor for suspicious DLL sideloading, unexpected driver installations (rwdrv.sys, hlpdrv.sys), and unauthorized physical memory writes from user-mode processes. Reliance on a single security solution is insufficient, as sophisticated ransomware operations like Qilin are explicitly engineered to neutralize common defensive layers, highlighting the need for multi-layered, behavior-focused security strategies.

Impact

  • Security Bypass
  • Gain Access

Indicators of Compromise

MD5

  • 89ee7235906f7d12737679860264feaf

  • 6bc8e3505d9f51368ddf323acb6abc49

  • cf7cad39407d8cd93135be42b6bd258f

SHA-256

  • 7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497

  • 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0

  • bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56

SHA1

  • 01d00d3dd8bc8fd92dae9e04d0f076cb3158dc9c

  • 82ed942a52cdcf120a8919730e00ba37619661a3

  • ce1b9909cef820e5281618a7a0099a27a70643dc

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Track unexpected DLL loads, especially msimg32.dll or other critical system libraries being loaded by third-party applications like FoxitPDFReader.exe.
  • Watch for installations or loading of unusual drivers, particularly rwdrv.sys and hlpdrv.sys.
  • Verify digital signatures and origin of all kernel-level drivers before allowing execution.
  • Detect attempts by user-mode processes to manipulate kernel memory or system callbacks.
  • Use kernel integrity monitoring solutions to prevent unauthorized memory access.
  • Ensure multi-layered defenses are in place—do not rely on a single EDR product.
  • Configure EDR to alert on attempts to unregister callbacks for process creation, thread creation, and image-loading events.
  • Enforce Code Integrity and monitor for modifications to the CiValidateImageHeader callback.
  • Implement secure boot and memory protection features to reduce tampering risks.
  • Enable detection for SEH/VEH obfuscation, ETW suppression, and syscall bypass attempts.
  • Track unusual process crashes or anti-debugging behaviors indicative of malware execution.
  • Review if any malware variants implement locale restrictions; maintain visibility even for systems in excluded regions.
  • Keep all software, including third-party apps, updated to reduce DLL sideloading attack surfaces.
  • Maintain backups offline and ensure a tested recovery plan is in place for ransomware events.