Cisco Talos: Qilin EDR killer infection chain
Essential information
- Published
- 02/04/2026 15:23
- Modified
- 02/04/2026 18:02
- Tags
- 2026-04-02
- Related entities
- 4 observables
Description
Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. The malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market.