Qilin and Warlock BYOVD Attack: Detecting msimg32.dll and EDR Bypass

The "blind spot" in modern endpoint defense has just widened. Recent intelligence from Cisco Talos and Trend Micro confirms that threat actors behind Qilin and Warlock ransomware operations are actively weaponizing the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable over 300 EDR and security tools.

This is not a theoretical Proof of Concept (PoC); it is active, in-the-wild exploitation targeting the kernel trust boundary. By loading signed but vulnerable drivers, attackers are gaining kernel-mode privileges to force-kill security processes and unload defenses, paving the way for encryption without detection. In the Qilin variant analyzed, researchers observed the deployment of a malicious DLL named msimg32.dll—a critical indicator of compromise (IoC) that security teams must hunt for immediately.

Technical Analysis

The Attack Chain

The attackers are utilizing a two-stage approach to bypass the "ring 0" (kernel) vs "ring 3" (user) protection model:

Payload Deployment (User Mode): The Qilin ransomware operation drops a malicious file named msimg32.dll. While this DLL name mimics a legitimate Windows GDI component, in this context, it is used as a loader or side-loading component to facilitate the next stage.
Driver Loading (Kernel Mode): The actors employ the BYOVD technique, bringing a legitimate, signed driver (often associated with tools like cheats, benchmarking utilities, or outdated hardware drivers) that contains a known vulnerability (e.g., arbitrary read/write or IOCTL abuse).
Defense Evasion: Once the vulnerable driver is loaded, the malware communicates with it to leverage its kernel privileges. This allows the ransomware to terminate protected processes and unload the drivers of antivirus and EDR solutions—effectively blinding the organization before the encryption phase begins.

Affected Components & Risk

Technique: Bring Your Own Vulnerable Driver (BYOVD).
Specific Payload: msimg32.dll (Qilin variant).
Scope: Capable of bypassing more than 300 EDR/AV solutions.
Platform: Windows environments where HVCI (Hypervisor-Protected Code Integrity) is not strictly enforced or driver allow-listing is absent.

Detection & Response

Sigma Rules

The following Sigma rules focus on the specific msimg32.dll artifact associated with Qilin and the general behavior of loading known vulnerable drivers commonly abused in BYOVD attacks.

YAML

---
title: Suspicious msimg32.dll Creation Outside System32
id: 8a4f2b1c-9d3e-4f5a-8b2c-1d3e4f5a6b7c
status: experimental
description: Detects the creation of msimg32.dll outside of the legitimate Windows System32 directory, associated with Qilin ransomware side-loading activity.
references:
  - https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.defense_evasion
  - attack.t1574.001
logsource:
  category: file_creation
  product: windows
detection:
  selection:
    TargetFilename|contains: '\\msimg32.dll'
  filter:
    TargetFilename|startswith: 'C:\\Windows\\System32\\'
  condition: selection and not filter
falsepositives:
  - Rare legitimate software installs that bundle local DLLs (unusual for msimg32)
level: high
---
title: Load of Known Vulnerable BYOVD Drivers
id: 9b5g3c2d-0e4f-5g6h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects the loading of drivers frequently abused in BYOVD attacks to disable EDR solutions. Matches signed but vulnerable drivers.
references:
  - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    Signed|contains:
      - 'ASUSTeK Computer Inc.'
      - 'Micro-Star International'
      - 'GIGABYTE'
      - 'AVERMEDIA TECHNOLOGY, INC.'
      - 'Intel(R) Corporation' # Specific vulnerable versions often targeted
    Hashes|contains:
      # Example partial hashes or file names known to be vulnerable
      - 'RTCore64.sys'
      - 'dbutil_2_3.sys'
      - 'capcom.sys'
      - 'mhyprot2.sys'
  condition: selection
falsepositives:
  - Legitimate installation of hardware utilities or gaming software
level: medium
---
title: Potential EDR Process Termination via Taskkill or PowerShell
id: 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects attempts to terminate common EDR/AV process names, often seen in BYOVD and ransomware operations after driver load.
references:
  - https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.impact
  - attack.t1489
logsource:
  category: process_creation
  product: windows
detection:
  selection_kill:
    CommandLine|contains:
      - 'taskkill /F /IM'
      - 'Stop-Process -Force'
  selection_target:
    CommandLine|contains:
      - 'MsMpEng.exe'
      - 'csagent.exe'
      - 'sophosui.exe'
      - 'edragent.exe'
      - 'wrsa.exe'
  condition: all of selection_*
falsepositives:
  - Administrators manually troubleshooting security software
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for the specific Qilin artifact (msimg32.dll) loading in suspicious contexts and correlates it with process execution.

KQL — Microsoft Sentinel / Defender

// Hunt for msimg32.dll loading outside System32 context
DeviceImageLoadEvents
| where FileName =~ "msimg32.dll"
| where FolderPath !startswith @"C:\Windows\System32\"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, SHA256, FolderPath
| join kind=inner (DeviceProcessEvents) on $left.InitiatingProcessCommandLine == $right.CommandLine
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ImagePath, DllPath=FolderPath, DllHash=SHA256

Velociraptor VQL

Use this artifact to hunt for the presence of the malicious msimg32.dll on disk and check for known vulnerable drivers currently loaded in kernel memory.

VQL — Velociraptor

-- Hunt for suspicious msimg32.dll files on disk
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="C:\Users\**\msimg32.dll")
WHERE FullPath NOT =~ "C:\\Windows\\System32\\msimg32.dll"

-- Enumerate loaded drivers looking for common BYOVD targets
SELECT Name, Description, Company, Filename
FROM drivers()
WHERE Filename =~ "RTCore64.sys"
   OR Filename =~ "dbutil_2_3.sys"
   OR Filename =~ "capcom.sys"
   OR Filename =~ "mhyprot2.sys"

Remediation Script (PowerShell)

This script performs a forensic sweep for the msimg32.dll artifact in user directories and verifies the status of HVCI, the primary defense against BYOVD.

PowerShell

# Security Arsenal - Qilin/Warlock BYOVD Response Script

Write-Host "[*] Initiating sweep for msimg32.dll artifacts..." -ForegroundColor Cyan

# Hunt for msimg32.dll outside System32
$paths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp\")
$artifacts = foreach ($path in $paths) {
    Get-ChildItem -Path $path -Filter "msimg32.dll" -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.FullName -notlike "*Windows\System32*" }
}

if ($artifacts) {
    Write-Host "[!] ALERT: Malicious msimg32.dll found!" -ForegroundColor Red
    $artifacts | Format-List FullName, Length, LastWriteTime
    # Optional: Remove-Item $_.FullName -Force (Manual verification required)
} else {
    Write-Host "[+] No suspicious msimg32.dll found in user directories." -ForegroundColor Green
}

# Check HVCI Status (Defends against BYOVD)
Write-Host "[*] Checking Hypervisor-Protected Code Integrity (HVCI) status..." -ForegroundColor Cyan
try {
    $ci = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
    $vbsEnabled = $ci.SecurityServicesConfigured -band 1
    $hvciEnabled = $ci.SecurityServicesConfigured -band 2
    
    if ($hvciEnabled) {
        Write-Host "[+] HVCI is ENABLED (Memory Integrity is ON)." -ForegroundColor Green
        Write-Host "    This is the strongest defense against BYOVD attacks." -ForegroundColor Gray
    } else {
        Write-Host "[!] WARNING: HVCI is DISABLED. Your environment is vulnerable to BYOVD." -ForegroundColor Red
        Write-Host "    Action Required: Enable Memory Integrity in Windows Security Center." -ForegroundColor Yellow
    }
} catch {
    Write-Host "[!] Could not determine Device Guard status." -ForegroundColor Yellow
}

Write-Host "[*] Response Script Complete." -ForegroundColor Cyan

Remediation

To neutralize the threat posed by Qilin and Warlock’s BYOVD tactics, security teams must move beyond standard signature-based detection and implement kernel-hardening controls:

Enable Memory Integrity (HVCI): This is the single most effective mitigation for BYOVD. Ensure Hypervisor-Protected Code Integrity is enabled across all Windows endpoints (Windows Security > Device Security > Core isolation details). This blocks the loading of known vulnerable drivers.
Apply Microsoft Vulnerable Driver Blocklist: Ensure the "Reputation-based protection" and the Microsoft vulnerable driver blocklist are enforced via Intune or Group Policy. This actively prevents the loading of the specific drivers abused by these ransomware groups.
Scan for msimg32.dll: Use the PowerShell script above or your EDR’s custom hunt capability to locate any instance of msimg32.dll outside of C:\Windows\System32. Investigate the creation source and isolate the host immediately.
Driver Allow-Listing: Implement a strict policy where only WHQL-signed drivers necessary for operations are permitted. Consider using Application Control (WDAC) policies to explicitly deny specific vulnerable drivers (e.g., RTCore64.sys, dbutil_2_3.sys).
Review Process Termination Logs: Investigate any logs showing unexpected termination of EDR or AV processes, which is a precursor to the encryption phase.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub