Cybersecurity researchers have identified a sophisticated shift in the tactics of the Qilin and Warlock ransomware operations during the first half of 2026. By leveraging “Bring Your Own Vulnerable Driver” (BYOVD) strategies, these threat actors are systematically neutralizing endpoint detection and response (EDR) solutions before initiating data encryption. This trend highlights a growing conflict within the system kernel, where legitimate but flawed drivers are repurposed as weapons to blind enterprise security teams.
Qilin’s Multi-Stage Driver Suppression
Analysis from Cisco Talos and Trend Micro indicates that Qilin has adopted a complex infection chain involving a malicious DLL named “msimg32.dll.” This file is typically deployed via side-loading and serves as a gateway for an encrypted “EDR killer” payload. Once the payload is decrypted and executed entirely in the system’s memory, the malware utilizes renamed versions of known vulnerable drivers—such as a version of “ThrottleStop.sys”—to gain low-level hardware access. This allows the attackers to unregister monitoring callbacks and terminate more than 300 different security drivers from nearly every major vendor.
Warlock Group Targets Kernel Integrity
Simultaneously, the Warlock ransomware group, also known as Water Manaul, has been observed exploiting unpatched Microsoft SharePoint servers to gain initial entry into corporate networks. Their recent campaigns demonstrate a refined focus on persistence and lateral movement. A key component of their current arsenal is the “NSecKrnl.sys” driver, which replaces previously identified drivers to terminate security products at the kernel level. This rotation of exploited drivers suggests a calculated effort to evade existing driver blocklists and detection signatures.
Operational Latency and Diverse Toolsets
Research into Qilin’s operational patterns reveals a notable dwell time, with encryption often occurring approximately six days after the initial breach. This window allows attackers to focus on expanding their control and exfiltrating sensitive data while the host’s defenses are silenced. Warlock’s intrusions throughout early 2026 have also showcased a diverse set of utilities for maintaining control:
- Velociraptor for command-and-control (C2) operations.
- PsExec and RDP Patcher to facilitate lateral movement across the internal network.
- Yuze and Cloudflare Tunnels to establish covert reverse proxies for C2 communication.
- Rclone for the systematic exfiltration of data to attacker-controlled cloud storage.
Conclusion
The rise of BYOVD techniques used by Qilin and Warlock signifies a critical need for organizations to implement more robust kernel-mode protections. Fending off these threats requires strict driver governance, including the enforcement of allow-lists for signed drivers from trusted publishers and the continuous monitoring of driver installation events. As ransomware groups refine their ability to dismantle security infrastructure from the inside out, proactive visibility and rapid response during the initial dwell period remain the most effective defenses.