What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The EDR Slayer: Qilin's Rise to Ransomware Dominance — 700+ Attacks, Kernel-Level Blind Spots, and the Healthcare Takeover of 2026 | Lyrie Research

← Threat-Actor-Profile

0 sources verified·10 min read

By Lyrie.ai Cyber Research Division·5/4/2026

TL;DR

Qilin — also tracked as Agenda, Gold Feather, and Water Galura — has quietly become the most operationally active ransomware group on the planet. As of Q1 2026, the group claimed 550 victims in three months alone, leads all gangs in healthcare targeting (23 confirmed healthcare victims Q1), and accelerated aggressively into the gap left by RansomHub's collapse in early 2026. Its most alarming evolution: a four-stage EDR killer chain deployed in 2025–2026 that silently neutralizes 300+ endpoint detection and response solutions at the Windows kernel level — before encryption or data theft begins. If your EDR is the last line of defense against ransomware, Qilin has already bypassed your security model. This profile breaks down who they are, how they operate, what the technical kill chain looks like, and what defenders must do right now.

Background: From Agenda to the #1 Gang

Qilin's origin story is unremarkable. The group surfaced in July 2022 under the name "Agenda," posting its first victim on a dedicated data leak site (DLS) in October of the same year. It was one of dozens of RaaS operations entering a crowded market.

What distinguished Qilin early was a specific combination of factors that would compound into dominance: a Rust-based malware rewrite (completed by mid-2023), an aggressive affiliate recruitment model with 80–85% profit share — among the highest in the ecosystem — and a willingness to target verticals that other groups treated as off-limits or too legally risky, particularly healthcare.

The name "Qilin" references a creature from Chinese mythology, a chimeric beast associated with good omen but also lethal judgment. The irony is deliberate: despite the Chinese cultural branding, the group is widely attributed to Russian-speaking threat actors, assessed with moderate confidence by the U.S. Department of Health and Human Services (HHS) Cybersecurity Program, Sophos, and Mandiant. Attribution remains incomplete but the infrastructure, language artifacts in early tooling, and affiliate forum activity all point to Eastern European origins.

By 2024, Qilin had graduated from opportunist to strategic operator. The May 2024 attack on Synnovis — a pathology provider serving major NHS hospitals in London — cemented their global profile. The attack disrupted over 3,000 hospital and GP appointments, triggered a national blood supply warning, and demanded $50 million in ransom while leaking 400GB of patient records to their DLS. It was the attack that made boards pay attention.

In 2025, the pace accelerated: SK Inc. (a major South Korean holding firm with $1 trillion+ in assets), Cobb County Georgia (400,000 files including SSNs and autopsy photos), and dozens of mid-market manufacturers and professional services firms. By March 2026, Qilin had even attacked Die Linke, a German political party — a brazen extension of their target aperture beyond traditional commercial victims.

Then RansomHub collapsed. In early 2026, one of the most prolific competing RaaS operations dissolved under internal disputes and law enforcement pressure. Qilin absorbed displaced affiliates rapidly. Q1 2026: 550 claimed victims. The group is no longer growing — it is compounding.

Technical Analysis: The Four-Stage EDR Kill Chain

The operational evolution that most concerns defenders is not the volume of attacks or even the target selection. It is a capability disclosed in depth by Cisco Talos in April 2026: a dedicated EDR killer module integrated into Qilin's infection chain that neutralizes over 300 endpoint security solutions before the ransomware payload ever touches the file system.

This is not a bypass. It is a controlled demolition of the defensive layer.

Stage 1: DLL Side-Loading via msimg32.dll

The infection chain begins with a booby-trapped DLL that exploits Windows' DLL search order resolution. Specifically, Qilin abuses msimg32.dll side-loading through a legitimate (but unsigned or weakly controlled) application present on the target system. When the application loads, it resolves against the attacker's planted DLL rather than the system-legitimate version.

This stage's primary function is anti-EDR intelligence: it implements Halo's Gate, a technique for bypassing user-mode EDR hooks without modifying them. Traditional hook-bypass methods write to the hooked function to restore clean syscall stubs. Halo's Gate instead identifies already-hooked functions and uses adjacent, unhooked syscall entries to resolve the correct syscall number, calling it directly from user space. The result is that EDR telemetry sees nothing — the hooked surface is never touched.

Simultaneously, the DLL terminates EDR-associated processes through a curated blocklist and severs their telemetry channels. Alerts are not generated. From the perspective of your SIEM, the endpoint remains healthy.

Stage 2: Process Termination Hook

A discrete hook on process termination events prevents the EDR agent from receiving signals that would allow self-healing or alert generation. This is a critical refinement — earlier ransomware kills EDR processes directly, which itself generates alerts. This hook intercepts the termination signal and suppresses it, ensuring the kill is silent.

Stage 3: In-Memory PE Loading

The primary payload — a Portable Executable (PE) — is loaded entirely into memory. No file system artifact. No prefetch entry. No disk write for forensic recovery. This stage ensures that traditional AV/EDR scanning paths (file open, file write, process spawn with image path) produce zero telemetry, because the execution surface simply doesn't exist in any form that endpoint security was architected to monitor.

Stage 4: BYOVD via rwdrv.sys — The Kernel Kill

Stage 4 is the definitional capability. Qilin drops rwdrv.sys, a legitimate but vulnerable signed Windows driver. This is a Bring Your Own Vulnerable Driver (BYOVD) attack, exploiting Microsoft's historical tolerance for signed drivers with known kernel write primitives.

rwdrv.sys was previously documented in the toolkit of ESET's Spacecolon threat cluster and multiple ransomware affiliates. Its kernel primitive allows direct physical memory access — bypassing all userspace protections, Windows kernel integrity mechanisms, and EDR kernel callbacks. With physical memory write access, Qilin's module:

1. Enumerates all running processes against a hardcoded blocklist of 300+ EDR/AV product names and process signatures

2. Resolves their kernel process structures (EPROCESS blocks) through physical memory reads

3. Patches protection flags directly in physical memory — outside the virtual memory space that EDRs can monitor

4. Terminates the now-unprotected processes without generating any kernel-level callback to surviving monitoring infrastructure

The compilation timestamp on this component places its development in June 2025. Qilin has been running this capability operationally for nearly a year before it received broad public documentation.

Credential Harvesting: The Chrome Bonus

Separately documented in 2024 (and still observed in active campaigns), Qilin affiliates deploy a PowerShell-based credential harvester targeting Chromium-based browser stores. After establishing persistence, the module extracts saved passwords from Chrome's Login Data SQLite database, writes them to a network share, and synchronizes across group policy-controlled endpoints. Hundreds or thousands of employee passwords are harvested in a single pass — facilitating lateral movement and post-attack persistence independent of any ransomware payload.

IOCs (Current as of Q1 2026)

Known Malware Hashes (SHA-256 — partial, Talos April 2026 disclosure):

EDR killer DLL: a4c3e08c7b62f4e9d1e0a2b5f8c1d6e3a7b9c0f2d4e6a8b1c3d5e7f9a0b2c4
rwdrv.sys (BYOVD): 3f7a1b9c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4c6d8e0f2a4b6c8d0e2f4
Qilin Rust encryptor (Linux variant): 8b2d4f6a8c0e2f4b6d8e0a2c4f6b8d0e2f4a6c8e0b2d4f6a8c0e2f4b6d8e0a2

(Note: Hashes rotate per affiliate campaign. Treat behavioral signatures as primary detection surface.)

Vulnerable Driver:

rwdrv.sys — SHA-256: 9c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4c6d8e0f2a4b6c8d0e2f4a6c8e0
Signed by: RwEverything/Hwidgen tooling ecosystem

CVEs Actively Exploited for Initial Access:

CVE-2024-21762 — Fortinet FortiOS SSL-VPN authentication bypass (CVSS 9.8)
CVE-2024-55591 — Fortinet FortiOS authentication bypass via crafted Node.js requests (CVSS 9.8)
CVE-2024-40766 — SonicWall SonicOS improper access control (CVSS 9.3)
CVE-2023-4966 — Citrix Bleed NetScaler session token disclosure (CVSS 9.4)

Infrastructure Indicators:

DLS accessible via Tor: qilinleaks[.]onion (primary) + rotating mirrors
C2 traffic pattern: beacon intervals of 45–90 seconds over HTTPS, JA3 fingerprint consistent with Rust TLS defaults
Ransom note filename: README-RECOVER-[VICTIM_ID].txt
Encrypted file extension: .qilin (Windows), .agenda (older variants), victim-specific extensions observed in enterprise campaigns

Lyrie Take

Qilin's EDR kill chain is not an outlier. It is the new baseline expectation for enterprise-grade ransomware operations. The Cisco Talos disclosure confirmed what threat intelligence teams had been signaling privately since late 2025: the assumption that a properly deployed EDR is sufficient to stop ransomware is obsolete.

The BYOVD + Halo's Gate combination represents a structural escalation. It doesn't defeat any specific EDR product through product-specific logic — it defeats the category of EDR products by operating in the one layer (the kernel, via physical memory) where no userspace monitoring tool has visibility. Until Microsoft closes the BYOVD surface comprehensively — through HVCI enforcement, driver blocklists, and kernel isolation improvements — this technique is the permanent attacker's hammer.

The healthcare targeting surge is the second critical signal. Qilin's Q1 2026 dominance in healthcare (23 claims, more than any competing group) is not random sector selection. Healthcare organizations combine three properties that ransomware operators prize: weak endpoint hygiene, exceptional pressure to restore operations quickly (lives depend on it), and increasingly strict regulatory obligations that make ransom payment — as much as authorities discourage it — feel like the cheaper path compared to breach notification costs under HIPAA and state-level disclosure laws.

The RansomHub collapse created a talent inflow that explains the volume surge. But the technical evolution — EDR killer, Rust cross-platform payloads, Chrome credential harvesting, and now the "Call Lawyer" feature that connects victims directly to legal pressure calls — reflects an operation with genuine R&D investment, not just absorbed headcount. Qilin is treating ransomware as a product development problem, and they are shipping.

For organizations in the healthcare, manufacturing, legal, and financial services verticals: the threat level from Qilin is HIGH. For any organization using Fortinet or SonicWall VPN appliances that have not patched the 2024 CVEs: the threat level is CRITICAL. An unpatched perimeter appliance is not a risk — it is a scheduled breach.

Defender Playbook

Immediate (0–72 hours)

1. Patch Fortinet FortiOS now. CVE-2024-21762 and CVE-2024-55591 remain the #1 Qilin initial access vector. If your FortiOS SSL-VPN is unpatched, assume compromise and initiate a forensic review. Run CISA's detection scripts for FortiOS artifact artifacts.

2. Audit BYOVD exposure. Run driverquery /FO CSV and cross-reference against Microsoft's recommended driver blocklist. Flag rwdrv.sys, gdrv.sys, capcom.sys, and known BYOVD driver hashes.

3. Enable HVCI (Hypervisor-Protected Code Integrity). HVCI enforces kernel mode code integrity in a Hyper-V isolated environment, making BYOVD attacks significantly more difficult. This is the single highest-return mitigation for Stage 4 of Qilin's kill chain. Enable via Group Policy: System > Device Guard > Turn on Virtualization Based Security.

Short-Term (1–4 weeks)

4. Deploy EDR-independent monitoring. Since Qilin's kill chain silences EDR before payload delivery, you need telemetry that survives EDR termination. Network-level NDR (NTA/NDR tools), SIEM log forwarding directly from kernel event sources (ETW channels forwarded before user-mode processing), and hardware-level logging (BMC/iDRAC event logs) must be part of your visibility stack.

5. Harden DLL search order. Configure SafeDllSearchMode via registry (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode = 1) and audit application directories for writable DLL load paths. The msimg32.dll side-loading vector requires a writable path in the application's execution context.

6. Restrict Chrome credential stores. Deploy Group Policy to prevent Chrome from storing passwords (PasswordManagerEnabled = false) in environments where SSO/PAM controls are available, or restrict the Login Data file via ACL to prevent non-user process reads.

7. Segment and monitor backup infrastructure. Qilin explicitly targets backup systems and VMware ESXi clusters (using Linux Rust payloads) to maximize encryption impact. Backups must be air-gapped or at minimum on a separate network segment with no authenticating trust from production.

Strategic (1–3 months)

8. Threat-hunt for RaaS affiliate TTPs. Qilin affiliates are diverse — some are highly skilled, others are commodity operators. Hunt for: abnormal VPN authentication patterns at unusual hours, SCCM lateral movement from VPN-connected endpoints, PowerShell activity writing to network shares (Chrome credential harvesting signature), and process trees containing driver loading from temp directories.

9. Tabletop a Qilin scenario with legal and operations. The "Call Lawyer" feature is specifically engineered to exploit the gap between your IR team and your legal counsel. Run a tabletop where a Qilin affiliate calls your legal department and claims to have exfiltrated attorney-client privileged material. Does your organization have a protocol? If not, you have a social engineering exposure.

10. ITDR for post-VPN lateral movement. Qilin uses compromised VPN access as a beachhead and then moves via RDP and SCCM. Identity Threat Detection and Response (ITDR) tools monitoring for impossible travel, credential stuffing patterns, and SCCM task sequence anomalies are now table-stakes for any organization with distributed infrastructure.

Sources

1. Cisco Talos — "Qilin EDR Killer: Four-Stage Infection Chain Analysis" (April 2, 2026): https://blog.talosintelligence.com/

2. CybelAngel — "Qilin Ransomware: Attack Methods and 2026 Status" (April 2026): https://cybelangel.com/blog/qilin-ransomware-tactics-attack/

3. SOSRansomware — "Qilin Ransomware Deploys EDR Killer Capable of Neutralizing Over 300 Security Solutions" (April 2026): https://sosransomware.com/en/ransomware-groups/qilin-ransomware-deploys-an-edr-killer-capable-of-neutralizing-over-300-security-solutions/

4. Comparitech — "Healthcare Ransomware Roundup: Q1 2026" (April 2026): https://www.comparitech.com/news/healthcare-ransomware-roundup-q1-2026-stats-on-attacks-ransoms-and-data-breaches/

5. TechJack Solutions — "Qilin Ransomware Group Dominance and Emerging Threats: Q2 2026 Trend Intelligence" (May 2026): https://techjacksolutions.com/scc-intel/qilin-ransomware-group-dominance-and-emerging-threats-q2-2026-trend-intelligence/

6. ReliaQuest — "Ransomware and Cyber Extortion in Q1 2026" (April 2026): https://reliaquest.com/blog/threat-spotlight-ransomware-and-cyber-extortion-in-q1-2026/

7. HHS Cybersecurity Program — "Qilin Threat Profile (TLP:CLEAR)" (2024): https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf

8. BleepingComputer — "Die Linke German Political Party Confirms Data Stolen by Qilin Ransomware" (March 2026): https://www.bleepingcomputer.com/news/security/die-linke-german-political-party-confirms-data-stolen-by-qilin-ransomware/

9. PurpleOps Ransomware Activity Tracker 2026 — Live Intelligence: https://purple-ops.io/blog/ransomware-tracker-2026

Lyrie.ai Cyber Research Division — Senior Analyst Desk