Back to Intelligence

Intel: BYOVD Ransomware (Qilin/Warlock) & Storm-1175 Rapid Attacks — April 2026

SA
Security Arsenal Team
April 13, 2026
6 min read

Date: 2026-04-14
Source Channels: @TheHackerNews, @RedPacketSecurity
Intel Type: Technical TTPs & Victim Claims

Threat Summary

Current intelligence indicates a convergence of sophisticated defense evasion tactics and aggressive operational tempo among ransomware groups. The most critical signal is the adoption of Bring Your Own Vulnerable Driver (BYOVD) techniques by Qilin and Warlock ransomware operators to completely disable EDR solutions prior to encryption. This occurs alongside confirmed activity by the China-linked Storm-1175 actor, which is actively exploiting zero-day and known vulnerabilities to deploy ransomware in under 72 hours against critical infrastructure. Meanwhile, minor factions (Lynx, Lamashtu) continue to claim victims in the hospitality and contractor sectors, suggesting a broad, high-volume threat landscape.

Attack Objectives & Target Profile

  • Objective: Deployment of ransomware following successful defense evasion (EDR kill) and lateral movement.
  • Primary Targets: Healthcare and Finance (Storm-1175); Organizations with exposed SharePoint instances (Warlock); General enterprises (Qilin, Lynx, Lamashtu).

Raw Intelligence Analysis

Post IDSourceAnalysis & Significance
Post 1@TheHackerNewsHigh Confidence. Attributes rapid ransomware deployment (<72h dwell time) to Storm-1175. The use of "trusted tools" suggests heavy reliance on Living-off-the-Land (LotL) binaries to evade signature-based detection after exploiting zero-days. The targeting of healthcare/finance implies high impact potential.
Post 2@TheHackerNewsHigh Confidence. Confirms Qilin and Warlock are utilizing BYOVD. Qilin side-loads DLLs to load vulnerable kernel drivers that terminate 300+ EDR drivers. Warlock exploits SharePoint for entry and uses similar kernel-level bypasses. This signifies a maturation of ransomware tradecraft where AV bypass is now the primary initial access hurdle.
Post 3@RedPacketSecurityClaim Verification. Lynx Ransomware claims victim cwwcontractors[.]com (Contractor sector). Verifies Lynx is active and likely utilizing standard RaaS affiliate models.
Post 4@RedPacketSecurityClaim Verification. Lamashtu Ransomware claims victim International Assistance Sdn.
Post 5@RedPacketSecurityClaim Verification. Lamashtu Ransomware claims victim involving ClientSolution EFO Service Srl, Logitech Srl Safety. Indicates targeting of logistics and service providers.
Post 6@RedPacketSecurityClaim Verification. Lamashtu Ransomware claims victim The Seacare Hotel. Hospitality sector targeting confirmed.

Threat Actor / Tool Profile

Qilin & Warlock (RaaS)

  • Tactics (BYOVD): Both families utilize a two-stage process to bypass kernel-mode protections. They drop a legitimate, signed, yet vulnerable kernel driver (e.g., RTCore64, or similar exploited drivers) and use it to exploit a CVE that allows arbitrary code execution in ring 0.
  • Payload Behavior: Once loaded, the malicious driver identifies the memory address of the target EDR/AV driver's callback functions and patches them or nullifies them, effectively "killing" the protection.
  • Warlock Specific: Initial access via SharePoint exploitation (likely CVE-2023-2936 or similar deserialization flaws).

Storm-1175 (Nation-State Affiliate)

  • Operational Tempo: Extremely fast (<72 hours from breach to ransom).
  • Methodology: "Chaining" zero-days with known flaws (vulnerability chaining). Uses legitimate administration tools ("trusted tools") for C2 and lateral movement to blend in with traffic.

Detection Engineering

Sigma Rules

YAML
---
title: Potential BYOVD EDR Bypass via Vulnerable Driver Load
id: 98765432-1234-5678-1234-567812345678
description: Detects the loading of known vulnerable drivers often used in BYOVD attacks to disable security solutions.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
tags:
    - attack.defense_evasion
    - attack.t1068
logsource:
    product: windows
    definition: 'Sysmon must be configured with Driver Load logging enabled (Event ID 6).'
detection:
    selection:
        EventID: 6
        ImageLoaded|contains:
            - 'RTCore64.sys'
            - 'dbutil_2_3.sys'
            - 'Capcom.sys'
            - 'AsIO.sys'
            - 'mhyprot2.sys'
    condition: selection
falsepositives:
    - Legitimate use of these drivers by specific hardware tools (rare in enterprise servers)
level: critical
---
title: Suspicious Process Termination of EDR Processes
id: abcdefgh-1234-5678-1234-567812345678
description: Detects attempts to terminate common EDR/AV processes, often seen in Qilin and Warlock attacks after BYOVD execution.
status: experimental
date: 2026/04/14
author: Security Arsenal
tags:
    - attack.defense_evasion
    - attack.t1561.002
logsource:
    product: windows
    category: process_termination
detection:
    selection:
        TargetProcess|contains:
            - 'msmpeng.exe' # Windows Defender
            - 'cb.exe' # Carbon Black
            - 'sentinelone' # SentinelOne
            - 'tamperprotect'
            - 'savui' # Sophos
    filter_legit:
        SourceProcess|contains:
            - 'C:\\Program Files'
            - 'C:\\Windows\\System32\\svchost.exe'
    condition: selection and not filter_legit
level: high
---
title: SharePoint Web Shell Creation via Suspicious File Extension
id: 11111111-2222-3333-4444-555555555555
description: Detects the creation of ASPX files with suspicious naming patterns in SharePoint directories, indicative of Warlock initial access.
status: experimental
date: 2026/04/14
author: Security Arsenal
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: windows
    category: file_create
detection:
    selection_path:
        TargetFilename|contains:
            - 'C:\\inetpub\\wwwroot\\wss'
            - '\\\\\\\\\\\inetpub\\wwwroot'
    selection_extension:
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
    selection_keywords:
        TargetFilename|contains:
            - 'shell'
            - 'upload'
            - 'eval'
            - 'test'
    condition: all of selection_
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for BYOVD Driver Loads and Subsequent EDR Tampering
let VulnerableDrivers = dynamic(["RTCore64.sys", "dbutil_2_3.sys", "Capcom.sys", "AsIO.sys", "mhyprot2.sys"]);
DeviceProcessEvents
| where Timestamp > ago(3d)
| where FileName in~ ("cmd.exe", "powershell.exe", "rundll32.exe")
| where ProcessCommandLine has_any ("-sc", "start", "load") 
| join kind=inner (DeviceEvents 
    | where ActionType == "DriverLoad" 
    | where FileName in~ (VulnerableDrivers)
    ) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AdditionalFields
| order by Timestamp desc

PowerShell (IOC Hunt)

PowerShell
<#
.SYNOPSIS
    Checks for loaded drivers associated with BYOVD EDR bypass techniques.
.DESCRIPTION
    This script enumerates currently loaded kernel drivers and checks the signatures
    and filenames against a known list of vulnerable drivers abused by Qilin/Warlock.
#>

$VulnerableSignatures = @(
    "ASUSTeK Computer Inc.",
    "GIGABYTE TECHNOLOGY CO., LTD.",
    "Micro-Star International Co., Ltd.",
    "ASIX Electronics Corporation",
    "Capcom Co., Ltd."
)

$VulnerableFiles = @(
    "RTCore64.sys", 
    "dbutil_2_3.sys", 
    "Capcom.sys", 
    "AsIO.sys", 
    "mhyprot2.sys"
)

Write-Host "[+] Scanning for potentially vulnerable BYOVD drivers..." -ForegroundColor Yellow

Get-WmiObject Win32_SystemDriver | Where-Object { $_.State -eq "Running" } | ForEach-Object {
    $DriverName = $_.DisplayName
    $Path = $_.PathName
    $Signer = (Get-AuthenticodeSignature $Path -ErrorAction SilentlyContinue).SignerCertificate.Subject
    
    if ($VulnerableFiles -contains (Split-Path $Path -Leaf)) {
        Write-Host "[!] SUSPICIOUS FILE FOUND: $Path" -ForegroundColor Red
        Write-Host "    Signer: $Signer" -ForegroundColor Red
    }
    elseif ($Signer -and ($VulnerableSignatures | Where-Object { $Signer -match $_ })) {
        Write-Host "[!] SUSPICIOUS SIGNER FOUND: $Path signed by $Signer" -ForegroundColor Red
    }
}

Write-Host "[+] Scan complete." -ForegroundColor Green


---

Response Priorities

Immediate (0–4 hours)

  1. Patch SharePoint: Warlock is actively exploiting SharePoint flaws. Apply the latest security patches immediately.
  2. Driver Blocklist: Implement Microsoft ASR rules or GPolicies to block known vulnerable drivers (e.g., RTCore64.sys).
  3. Check Access: Review recent IIS/SharePoint logs for suspicious POST requests or file uploads.

Same-day (4–24 hours)

  1. EDR Log Audit: Query EDR logs for "Driver Load" events matching the vulnerable list. Investigate the parent process immediately.
  2. Hunt for LOLBins: Storm-1175 uses trusted tools. Hunt for unusual powershell.exe or wmic.exe chains originating from non-admin accounts.
  3. Isolate Victims: Check if cwwcontractors[.]com or other listed victims have any supply-chain relationship or shared credentials with your organization.

This Week

  1. Zero-Day Assessment: Verify patch levels for software vulnerable to the "zero-day" mentions associated with Storm-1175 (prioritize VPNs and Edge devices).
  2. Purple Team: Test your ability to detect kernel-level driver manipulation and EDR tampering.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebtelegram-inteldarkweb-ransomwareransomwarebyovdstorm-1175qilin-ransomwareedr-bypass

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action