By Cisco Talos Blog
Publication Date: 2026-04-02 10:00:00
- Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them.
- Disabling telemetry collection (process, memory, network activity) limits what defenders can see and analyze.
- As defenders improve behavioral detection, attackers increasingly target the defense layer itself as part of their initial access or early execution stages.
- This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market.
- We present multiple techniques used by the malware to evade and ultimately disable EDR solutions, including SEH/VEH-based obfuscation, kernel object manipulation, and various API and system call bypass methods.
This blog post provides an in-depth technical analysis of the malicious…



