critical Code Vulnerability
Qilin + Warlock Ransomware — BYOVD Killing 300+ EDR Products
| Severity | critical |
| Status | open |
| Date | April 6, 2026 |
| Affects | Nearly every EDR vendor — 300+ products targeted |
| Source | thehackernews.com |
Details
Qilin deploys malicious msimg32.dll that terminates 300+ EDR drivers from nearly every security vendor. Warlock uses legitimate NSecKrnl.sys driver for kernel-level EDR killing, plus TightVNC, VS Code tunneling, and Cloudflare tunnels for C2. Reported by Cisco Talos and Trend Micro.