Qilin and Warlock Ransomware: BYOVD EDR Bypass via msimg32.dll — Detection and Hardening Guide | Security Arsenal

Recent intelligence from Cisco Talos and Trend Micro confirms that threat actors behind Qilin (formerly known as Agenda) and Warlock ransomware operations have escalated their attack chains. These groups are actively utilizing the Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint detection and response (EDR) solutions.

In the analyzed Qilin incidents, attackers deploy a malicious payload masquerading as the legitimate system library msimg32.dll. By loading a known, vulnerable driver (often signed but revoked) into kernel space, these actors gain the privileges required to terminate over 300 different security processes. For defenders, this represents a critical failure point: if the EDR is blind, the subsequent encryption phase is guaranteed.

Technical Analysis

The Threat Landscape The Qilin and Warlock operations are distinct in their operational security but share a common tactical dependency on BYOVD to bypass user-mode security controls.

Affected Platforms: Windows-based environments (Server and Workstation).
Malicious Artifacts: A malicious DLL named msimg32.dll (typically associated with GDI+ rendering) is dropped and loaded to facilitate the attack chain.
Mechanism (BYOVD): The attack chain involves loading a legitimate, yet vulnerable, kernel-mode driver. Once loaded, the exploit code leverages a vulnerability within that driver to read/write kernel memory. This allows the attacker to forcefully terminate security agent processes (e.g., MsMpEng.exe, edsensor.exe, cb.exe) that are normally protected.

Attack Chain Breakdown

Initial Access: Often via compromised credentials or phishing.
Payload Execution: Execution of a dropper that writes the malicious msimg32.dll and a vulnerable driver file (e.g., RTCore64.sys, DBUtil_2_3.sys, or similar) to disk.
Privilege Escalation: The vulnerable driver is loaded using fltMC.exe or sc.exe.
EDR Neutralization: The exploit triggers the driver vulnerability to kill security processes and unload their kernel callbacks.
Ransomware Deployment: With defenses disabled, the ransomware payload executes.

Exploitation Status: Confirmed active exploitation in the wild.

Detection & Response

Detection of BYOVD requires monitoring for two distinct vectors: the suspicious dropping of system DLLs in user-writable locations and the loading of known vulnerable drivers. The following rules and queries are designed to catch the specific indicators associated with the Qilin/Warlock campaigns and generic BYOVD behaviors.

SIGMA Rules

YAML

---
title: Suspicious msimg32.dll Creation in User Directories
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the creation of msimg32.dll (a system GDI library) outside of System32, a tactic observed in Qilin ransomware attacks.
references:
 - https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
author: Security Arsenal
date: 2026/04/08
tags:
 - attack.defense_evasion
 - attack.t1562.001
logsource:
 category: file_creation
 product: windows
detection:
 selection:
   TargetFilename|contains: 'msimg32.dll'
   TargetFilename|contains:
     - '\Users\'
     - '\ProgramData\'
     - '\Temp\'
 filter_legit:
   TargetFilename|contains: '\Windows\System32\'
 condition: selection and not filter_legit
falsepositives:
 - Legitimate application installers (rare)
level: high
---
title: Vulnerable Driver Load - Known BYOVD Signatures
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects the loading of drivers frequently used in BYOVD attacks to disable EDRs.
references:
 - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/04/08
tags:
 - attack.privilege_escalation
 - attack.t1068
logsource:
 category: driver_load
 product: windows
detection:
 selection:
   Loaded|contains:
     - 'RTCore64.sys'
     - 'RTCore32.sys'
     - 'dbutil_2_3.sys'
     - 'DBUtil_2_3.sys'
     - 'gdrv.sys'
     - 'capital.sys'
     - 'inseng.sys'
     - 'mhyprot2.sys'
 falsepositives:
 - Legitimate software installing these specific drivers (verify context)
level: critical
---
title: Driver Load Using Common BYOVD Loader Tools
id: c3d4e5f6-7890-12ab-def0-3456789012cd
status: experimental
description: Detects command-line activity used to load drivers, specifically via fltMC or sc, which is often a precursor to BYOVD.
references:
 - https://attack.mitre.org/techniques/T1543/
author: Security Arsenal
date: 2026/04/08
tags:
 - attack.persistence
 - attack.t1543
logsource:
 category: process_creation
 product: windows
detection:
 selection_img:
   Image|endswith:
     - '\fltMC.exe'
     - '\sc.exe'
 selection_cli:
   CommandLine|contains:
     - ' load '
     - 'create '
   CommandLine|contains:
     - '.sys'
     - 'type= kernel'
 condition: all of selection_*
falsepositives:
 - Administrative driver installation
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the specific msimg32.dll artifact dropped in user directories, as well as generic driver loading anomalies.

KQL — Microsoft Sentinel / Defender

// Hunt for suspicious msimg32.dll creation
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName == "msimg32.dll"
| where FolderPath !contains @"C:\Windows\System32"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc
;
// Correlate with Driver Loads
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName in~ ("fltMC.exe", "sc.exe") or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")
| where ProcessCommandLine has "load" and ProcessCommandLine has ".sys"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the suspicious DLL and known vulnerable drivers on the endpoint.

VQL — Velociraptor

-- Hunt for Qilin/Warlock artifacts and vulnerable drivers
SELECT 
  FullPath,
  Size,
  ModTime,
  Mode
FROM glob(globs="C:/Users/**/msimg32.dll")
WHERE NOT FullPath =~ "C:/Windows/System32"

UNION ALL

SELECT 
  FullPath,
  Size,
  ModTime,
  Mode
FROM glob(globs="C:/Windows/System32/drivers/**/*")
WHERE Name =~ "RTCore64|dbutil_2_3|mhyprot2|capital|gdrv"

Remediation Script (PowerShell)

Use this script to verify Hypervisor-Protected Code Integrity (HVCI) status—the primary defense against BYOVD—and to scan for the indicators mentioned in this report.

PowerShell

# Check HVCI Status (Critical for BYOVD mitigation)
$ci = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
Write-Host "=== Device Guard Status ==="
Write-Host "Security Services Configured: $($ci.SecurityServicesConfigured)"
Write-Host "Security Services Running: $($ci.SecurityServicesRunning)"

if ($ci.SecurityServicesConfigured -band 2) {
    Write-Host "HVCI (Hypervisor Code Integrity) is Enabled." -ForegroundColor Green
} else {
    Write-Host "WARNING: HVCI is DISABLED. This system is vulnerable to BYOVD attacks." -ForegroundColor Red
}

# Scan for suspicious msimg32.dll in user directories
Write-Host "\n=== Scanning for msimg32.dll artifacts ==="
$paths = @("C:\Users\", "C:\ProgramData\")
$found = $false

foreach ($path in $paths) {
    if (Test-Path $path) {
        $files = Get-ChildItem -Path $path -Recurse -Filter "msimg32.dll" -ErrorAction SilentlyContinue -Depth 3
        foreach ($file in $files) {
            Write-Host ("Suspicious file found: " + $file.FullName) -ForegroundColor Yellow
            $found = $true
        }
    }
}

if (-not $found) {
    Write-Host "No suspicious msimg32.dll files found in standard user directories."
}

# Check for known vulnerable drivers (Common BYOVD list)
Write-Host "\n=== Checking for Known Vulnerable Drivers ==="
$badDrivers = @("RTCore64.sys", "RTCore32.sys", "dbutil_2_3.sys", "DBUtil_2_3.sys", "gdrv.sys", "capital.sys", "mhyprot2.sys")
$driverDir = "C:\Windows\System32\drivers\"

foreach ($driver in $badDrivers) {
    $dPath = Join-Path $driverDir $driver
    if (Test-Path $dPath) {
        Write-Host ("VULNERABLE DRIVER FOUND: " + $dPath) -ForegroundColor Red
    }
}

Remediation

To neutralize the threat posed by Qilin, Warlock, and other BYOVD-based attacks, apply the following hardening measures immediately:

Enable Hypervisor-Protected Code Integrity (HVCI): This is the single most effective control against BYOVD. HVCI uses virtualization-based security (VBS) to ensure that only valid, signed code can run in kernel memory. Even if a vulnerable driver is loaded, HVCI will block the exploit.
- Action: Enable Memory Integrity via Windows Security > Device security > Core isolation details > Memory integrity. On Windows Server, use Group Policy (Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security).
Enforce the Microsoft Vulnerable Driver Blocklist: Microsoft maintains a blocklist of drivers known to be abused for BYOVD.
- Action: Deploy the latest Group Policy settings to enforce HVCISIGPolicy strictly. This can be managed via Intune or GPO.
Application Control (AppLocker/WDAC): Restrict the ability to load arbitrary drivers.
- Action: Implement Windows Defender Application Control (WDAC) policies that allow only specific, approved drivers to load.
Patch and Audit: While BYOVD often uses legitimate but vulnerable drivers, ensure all system drivers are up to date.
- Action: Review installed drivers against the CISA Known Exploited Vulnerabilities Catalog.
Sensor Hardening: Configure EDR agents to prevent their own processes from being terminated by non-system processes and to detect attempts to unload their kernel callbacks.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

Qilin and Warlock Ransomware: BYOVD EDR Bypass via msimg32.dll — Detection and Hardening Guide