{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/qilin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Qilin Ransomware"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["qilin","edr-killer","ransomware","defense-evasion","windows"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Qilin ransomware group is actively deploying a sophisticated EDR killer as part of their attack chain. The initial stage involves a malicious \u0026ldquo;msimg32.dll\u0026rdquo; that is likely side-loaded by a legitimate application. This DLL version triggers its malicious logic from within its DllMain function, leading to immediate execution upon loading. The EDR killer employs advanced evasion techniques, including neutralizing user-mode hooks, suppressing Event Tracing for Windows (ETW) event generation, and utilizing structured exception handling (SEH) and vectored exception handling (VEH) to obfuscate control flow. Once active, the EDR killer component loads helper drivers to access physical memory and terminate EDR processes. This allows the malware to disable over 300 different EDR drivers across a wide range of vendors, hindering incident response and enabling further malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA legitimate application loads the malicious \u0026ldquo;msimg32.dll\u0026rdquo;, likely through DLL side-loading, triggering execution from within the DllMain function.\u003c/li\u003e\n\u003cli\u003eThe DLL allocates a heap buffer in process memory acting as a slot-policy table based on ntdll.dll\u0026rsquo;s OptionalHeader.SizeOfCode, dividing the code region into 16-byte slots.\u003c/li\u003e\n\u003cli\u003eThe malware iterates over the export table of \u0026ldquo;ntdll.dll\u0026rdquo; to resolve virtual addresses of syscall stubs, specifically targeting those starting with \u0026ldquo;Nt\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eBased on resolved addresses, the malware marks corresponding entries in the slot-policy table with default or special policies, specifically targeting NtTraceEvent, NtTraceControl, and NtAlpcSendWaitReceivePort.\u003c/li\u003e\n\u003cli\u003eThe malware dynamically resolves ntdll!LdrProtectMrdata and invokes it to change the protection of the .mrdata section to writable.\u003c/li\u003e\n\u003cli\u003eThe loader overwrites the dispatcher slot within the .mrdata section with its own custom exception handler to intercept and modify exception handling.\u003c/li\u003e\n\u003cli\u003eThe custom exception handler manages breakpoint exceptions (0xCC), potentially as an anti-emulation technique.\u003c/li\u003e\n\u003cli\u003eThe EDR killer component loads helper drivers, \u0026ldquo;rwdrv.sys\u0026rdquo; for physical memory access and \u0026ldquo;hlpdrv.sys\u0026rdquo; to terminate EDR processes, after unregistering monitoring callbacks to prevent interference.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of the Qilin EDR killer can disable over 300 different EDR drivers, severely impairing the ability of security teams to detect and respond to threats. This can lead to increased dwell time for ransomware and other malicious activities, resulting in significant data breaches, financial losses, and reputational damage. With telemetry collection disabled, defenders lose visibility into process, memory, and network activity, making it difficult to investigate and contain the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for DLLs loaded from non-standard locations, specifically \u0026ldquo;msimg32.dll,\u0026rdquo; using process creation logs to detect potential DLL side-loading attempts (rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided in this brief to detect the modification of exception handler dispatchers, which is a key component of the EDR killer\u0026rsquo;s evasion techniques.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted drivers like \u0026ldquo;rwdrv.sys\u0026rdquo; and \u0026ldquo;hlpdrv.sys\u0026rdquo; using driver load events, as these are used to gain system privileges and terminate EDR processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed information about process execution, including command-line arguments and parent processes, to aid in the detection of malicious DLL loading.\u003c/li\u003e\n\u003cli\u003eAnalyze process memory for evidence of user-mode hooks being neutralized or ETW event generation being suppressed. This requires more advanced memory forensics capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T10:00:56Z","date_published":"2026-04-02T10:00:56Z","id":"/briefs/2026-04-qilin-edr-killer/","summary":"Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.","title":"Qilin Ransomware EDR Killer Infection Chain","url":"https://feed.craftedsignal.io/briefs/2026-04-qilin-edr-killer/"}],"language":"en","title":"CraftedSignal Threat Feed — Qilin","version":"https://jsonfeed.org/version/1.1"}