The landscape of ransomware threats continues to evolve as attackers adopt increasingly sophisticated techniques to bypass security controls traditionally relied on by organizations.
In a revealing recent incident, affiliates of the Qilin ransomware group orchestrated a highly advanced attack using a previously unpublicized vulnerable driver, TPwSav.sys, enabling them to bypass endpoint detection and response (EDR) protections stealthily.
This incident not only underscores the defenders’ need to maintain vigilance against innovative attack chains, but also demonstrates the persistent threat posed by groups that commercialize ransomware-as-a-service (RaaS) tools to a growing network of affiliates.
Attack Chain
First noted in July 2022, Qilin also known as Agenda is notorious for deploying double extortion tactics across diverse sectors, forcibly encrypting and exfiltrating victim data with further threats of public exposure if ransom demands go unmet.
Qilin’s offerings support both Windows and Linux environments and are developed in Golang and Rust, affording significant flexibility to its rapidly expanding affiliate base globally.
A recent operation attributed to Qilin affiliates showcased a multi-phase methodology.
The attackers gained initial access via compromised credentials, opening a foothold through a VPN using IP addresses linked to Russian-based cloud hosting services.
Once inside, attackers moved laterally using RDP and remote management tools, subsequently deploying the legitimate signed ‘upd.exe’ (a Carbon Black Cloud Sensor AV update utility) in combination with a malicious ‘avupdate.dll’ to sideload a customized EDR bypass module.
EDR Evasion by Qilin Ransomware
Central to the attack was the deployment of the TPwSav.sys driver, normally legitimate software for Toshiba laptops, but in this case abused within a bring-your-own-vulnerable-driver (BYOVD) scheme. The attackers XOR-decoded and activated a specialized variant of the EDRSandblast tool.
This tool exploited TPwSav.sys to gain arbitrary read/write capability in kernel memory a critical step in undermining EDR modules by wiping callback routines and event tracing, key mechanisms which security solutions rely upon to monitor malicious activity.
In a particularly technical maneuver, the attackers hijacked the Beep.sys device driver’s function handlers, inserting stealthy shellcode that provided fine-grained control for further evasion and persistence within the victim’s environment.
While the attack chain involved advanced anti-analysis measures and precise manipulation of Windows internals, the incident was ultimately neutralized by rapid, coordinated action from the Security Operations Center (SOC). Impacted systems were quickly isolated, with layered defense mechanisms and real-time response preventing the ransomware’s encryption stage and broader damage.
The use of a previously unknown vulnerable driver like TPwSav.sys highlights the limitations of static EDR blocklists and illustrates how attackers can outpace signature-based defense methods by simply rotating their tooling.
According to the report, the Qilin incident reaffirms the critical importance of continuous monitoring, timely threat hunting, and a defense-in-depth strategy to counteract highly adaptive ransomware campaigns.
Security teams must remain agile, investing in proactive defense measures and ongoing threat intelligence to identify and remediate attacks before they result in data compromise or disruption.
Indicators of Compromise (IOC)
| File Name | SHA256 |
|---|---|
| TPwSav.sys | 011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6 |
| avupdate.dll | d3af11d6bb6382717bf7b6a3aceada24f42f49a9489811a66505e03dd76fd1af |
| main.exe | aeddd8240c09777a84bb24b5be98e9f5465dc7638bec41fb67bbc209c3960ae1 |
| web.dat | 08224e4c619c7bbae1852d3a2d8dc1b7eb90d65bba9b73500ef7118af98e7e05 |
| upd.exe | 3dfae7b23f6d1fe6e37a19de0e3b1f39249d146a1d21102dcc37861d337a0633 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
