The cybercriminal group behind Qilin ransomware has recently demonstrated a new and highly effective technique to circumvent traditional Endpoint Detection and Response (EDR) protections.
In a recently investigated incident, Qilin affiliates utilized the previously unknown, vulnerable driver TPwSav.sys initially developed for Toshiba laptops to disable EDR capabilities on targeted systems stealthily.
This “Bring Your Own Vulnerable Driver” (BYOVD) tactic highlights a critical blind spot in security infrastructure that organizations can no longer afford to ignore.
Qilin, first observed in mid-2022 and also known as “Agenda”, operates as a ransomware-as-a-service (RaaS) platform. Its affiliates use double extortion tactics: exfiltrating and encrypting victims’ data, and threatening disclosure if ransom demands fail.
The group is known for its adaptability, offering both Golang and Rust ransomware variants, and targeting both Windows and Linux platforms worldwide, particularly within the construction, engineering, and industrial sectors.
Technical Deep Dive: The Qilin Attack Chain
The latest Qilin attack started with the compromise of valid credentials, often obtained through phishing or purchased from dark web markets.
Attackers gained remote access to corporate networks, establishing persistence via remote desktop tools and VPNs.
After gaining a foothold, they leveraged a signed but vulnerable executable (upd.exe) to load a malicious DLL (avupdate.dll), which in turn decoded and executed a customized EDR “killer” tool, EDRSandblast.
Uniquely, this tool did not rely on well-known drivers that most EDRs now block. Instead, attackers employed the little-known TPwSav.sys driver, which is signed and thus passes standard driver checks.
By abusing TPwSav.sys’ IOCTL interfaces, the attackers gained the ability to read and write arbitrary kernel memory.
They overwrote a critical function in the Windows Beep.sys driver with custom shellcode, providing themselves with ongoing privileged access for memory manipulation.
This allowed the attackers to surgically disable kernel callbacks and Windows event tracing critical detection mechanisms for EDR products.
The attackers’ skill in integrating this technique, which requires advanced Windows kernel knowledge, demonstrates the heightened sophistication in today’s ransomware threats.
Defense-in-Depth Thwarts Full Compromise
Despite the advanced evasion, the targeted organization’s Security Operations Center (SOC) detected the intrusion, rapidly isolated compromised devices, and prevented ransomware deployment before any irreversible encryption took place.
However, the Qilin case underscores a growing trend: as EDR products universally block older, well-known vulnerable drivers, ransomware operators are aggressively seeking out obscure, signed drivers like TPwSav.sys to maintain an edge.
The incident is a wake-up call for the cybersecurity community. Effective defense now requires continually updated blocklists, real-time kernel monitoring, and rapid response capabilities rather than reliance on EDR tools alone.
As threat actors up their game, so too must defenders refine their arsenals to reduce future blind spots and protect against BYOVD-enabled EDR bypasses.
