Qilin Ransomware’s EDR Killer DLL – How Attackers Are Subverting Defenses

Show Notes

Qilin ransomware is deploying a malicious DLL to disable EDR tools before encryption begins. 

In this #SOCBrief, we break down how the attack works, what to look for, and how defenders can respond. 

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_00 0:02

Good morning, good afternoon, or good evening, whenever you may be, and welcome to another episode of the Sock Brief. This is your go-to podcast for staying ahead of the ever-evolving world of cybersecurity threats. I'm your host Andrew, and today we're going to discuss a fun tactic that's picking up steam from a group that we're going to be talking about a lot in the future, and that is the Chilan Ransomware Group is using malicious DLL to disable a large number of endpoint detection and response tools, also known as EDR, before deploying their ransomware. We'll discuss EDRs allegedly affected, how it works, some real-world examples, key indicators to hunt for, and some practical steps your SOC can take to spot and stop these attacks before your organization becomes the next victim. So let's get into it. Well, we're going to be talking about them a lot, but Chilin is one of, if not the most prolific ransomware groups active right now. They're leading victim counts in multiple quarters of 2025 and continuing into 2026. And researchers have recently discovered that they are deploying a specially crafted malicious dynamic link library, DLL. This is a file designed to disable or impair a very large number of EDR products before the ransomware payload runs. So the malicious DLL, uh currently, I think what we have is it's named MSIMG32.dLO. Used by Chilan, it contains a hard-coded list of over 300 EDR driver names. It uses bring your own vulnerable driver techniques to access physical memory and terminate EDR processes at the kernel level. Virtually every major vendor is targeted, confirmed or strongly implied in the latest Talos and Trend Micro analysis. This would be EDRs like Microsoft Defender for Endpoint or Windows Defender, CrowdStrike Falcon, Sentinel One, Sophos, Trend Micro, Semantic, McAfee, Kaspersky, Silance, Cyberblack, F Secure, Hitman Pro, Webroot, Palo Alto, Cortex XDR, Elastic Endpoint Security, BitNefender, ESet, and dozens more from smaller or regional vendors. This attack is designed to be vendor-agnostic. It doesn't rely on one specific weakness in a single product. It attempts to systematically kill EDR drivers across the board. So this is a huge concern because EDR tools are most commonly the last line of defense in a network. If attackers can blind or disable them early, they'll gain a huge window to move laterally, exfiltrate data, and encrypt systems with much less chance of detection. So this tactic makes their attacks quieter and faster. The malicious DLL doesn't rely on custom malware for the main payload. Instead, it's using living off-the-land techniques and legitimate tools after blinding the EDR. This helps keep their dual time low and makes behavioral detection much harder to identify. For SOCS, it means normal-looking processes can't suddenly become malicious, and the usual EDR alerts that you rely on may never fire. So for visibility into this, SOCS want to do things like tune your EDR for anomalous DLL loading, look for unusual driver interactions, or sudden drops in your EDR telemetry from endpoints. So that'll be things like if an endpoint just shuts off or checks out of the console. That's kind of a red flag. Look for signs of EDR tampering such as missing agents, disabled services, or unexpected process injections. You can also make sure you're blocking or quarantining high-risk behaviors at your gateways. That'll be things like restricting unnecessary DLL execution, enforcing application allow listing, monitoring for living off-the-land binaries, use network segmentation to limit lateral movement if an initial foothold is gained. We have to be proactive in our hunting, so make sure you're reviewing your logs regularly, looking for recent anomalous DLL activity, unusual driver loads, or sudden drops in EDR coverage, like we discussed. You can integrate threat intelligence fees for Chi Lin IOCs. There are vendors like WatchGuard and others that are already publishing details on their TTPs and the specific EDR killer DLL as well. So go find that, get hashes, create blacklists, block lists, whatever you need to do. Make sure you share all this information with your team. Make sure your colleagues know what to be on the lookout for as well. The bottom line here is that Chi Lin's EDR killer shows attackers are working harder to remove the alarms and defenses that us defenders count on. Socks that are aware and prepared for these bypass techniques can stop these attacks before they can become a problem. Closing thoughts on a call to action here. With Chilin's Rise and the new EDR disabling tactics, it's a reminder that ransomware groups will continue to evolve and adjust to our defenses. SOCS that are on the lookout for oddities are quick on blocking risky behaviors and keep communication flowing, can turn potential disasters into contained incidents. This week, run one quick hunt for anomalous DLL activity or EDR tampering in your environment. Make sure you're reviewing your endpoint visibility controls and identifying any potential gaps in coverage. And that's a wrap for this episode of the SOC Brief. Have questions or your own EDR bypass stories? Hit us up on social media or via our website. Keep your eyes open, keep sharpening those skills, and we'll talk soon. As always, stay secure out there. Bye.