Security researchers have identified Qilin and Warlock ransomware groups utilizing the bring your own vulnerable driver technique to disable endpoint defense software on infected systems. By deploying a specialized malicious file that loads vulnerable kernel drivers, these attackers can terminate over 300 different security processes to ensure their ransomware remains undetected during execution.
Recent investigations by Cisco Talos and Trend Micro reveal that Qilin ransomware now employs a multi-stage infection process starting with a malicious file that uses side-loading to bypass initial security checks. This file prepares a specialized environment by neutralizing common monitoring tools and hiding its internal activities from the operating system. By suppressing event logs and concealing how it interacts with the system, the malware can launch its primary payload entirely within the computer's memory to avoid leaving physical evidence on the hard drive.
The core of this attack relies on two specific drivers that the malware brings onto the system to manipulate the Windows kernel. The first driver acts as a gateway to the system's physical memory, while the second driver is tasked with the direct termination of defensive software. These specific tools are not unique to Qilin, as they have previously been observed in similar attacks linked to other prominent ransomware operations like Akira and Makop.
Before the malware begins shutting down security tools, it performs a sophisticated maneuver to unregister the monitoring callbacks used by endpoint detection and response solutions. This proactive step prevents the security software from noticing or blocking the termination commands, essentially blinding the system’s defenses before they can react. This method highlights a significant shift toward more advanced kernel-level interference that renders standard security features ineffective.
Statistical data shows that these tactical improvements have helped Qilin become one of the most prolific threats in the current landscape. The group has been responsible for a high volume of successful breaches globally, including a substantial portion of all reported ransomware incidents in Japan throughout 2025. This high success rate is directly attributed to their ability to systematically dismantle modern defensive protections on compromised hosts.
Because these attacks utilize legitimate but vulnerable drivers, they present a unique challenge for traditional antivirus programs that typically trust signed software. The ability of the malware to fly under the radar while terminating hundreds of different security products makes it a particularly dangerous tool in the hands of modern threat actors. As Qilin continues to refine these techniques, the scale and impact of their operations are expected to remain a primary concern for cybersecurity professionals worldwide.
Source: https://blog.talosintelligence.com/qilin-edr-killer/