Meta News

Qilin: Infection Chain with EDR Disabling Module

Summary: Cisco Talos examines the use of msimg32.dll in Qilin campaigns, capable of neutralizing up to 300 different EDR solutions from various vendors.

Cisco Talos analyzed a malicious mechanism based on msimg32.dll used in ransomware attacks by Qilin and capable of disabling up to 300 Endpoint Detection and Response (EDR) solutions. The technique is part of a multistage infection chain designed to neutralize defenses before the attack progresses.

The first stage is a PE loader that prepares the environment and decrypts a secondary payload entirely in memory, reducing visibility for local tools. It then activates two auxiliary drivers: rwdrv.sys, for accessing physical system memory, and hlpdrv.sys, for terminating security processes.

The analysis also describes advanced evasion techniques such as structured and vectorized exception handling (SEH/VEH) and kernel object manipulation. Together, the case reflects a level of sophistication specifically aimed at degrading EDR response capabilities before the final ransomware deployment.

Key facts

  • The analyzed mechanism can disable up to 300 EDR solutions.
  • The infection chain is multistage and includes a payload executed entirely in memory.
  • The malware uses evasion techniques such as SEH and VEH to hinder detection.

Why it matters

Shows how ransomware families are investing in specialized capabilities to blind defensive tools before encryption or lateral movement takes place.

Tags:
cybersecurity ransomware malware edr

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: Cisco Talos, Qilin ransomware, msimg32.dll, PE loader, EDR killer component

Source: https://blog.talosintelligence.com/qilin-edr-killer/

Published on