Endpoint Detection and Response (EDR) solutions are widely considered a cornerstone of modern enterprise defense. However, recent malware campaigns show adversaries increasingly focus on actively disabling security controls. Disabling EDR systems is not a trivial task, as adversaries must bypass and evade multiple detection and protection layers before they can successfully neutralize them.

This talk examines a recent intrusion chain associated with the Qilin ransomware ecosystem, where a dedicated EDR killer is deployed early in the attack lifecycle. The analyzed malware is able to identify and disable hundreds of EDR drivers from multiple vendors, effectively removing visibility and response capabilities from the target environment. The initial execution relies on DLL sideloading of a trojanized msimg32.dll, which acts as a PE loader for the EDR killer payload. The execution flow is deliberately convoluted using SEH/VEH-based control flow manipulation, effectively breaking linear disassembly and complicating static analysis. The sample further minimizes its user-mode footprint by dynamically resolving APIs and selectively switching to direct and indirect syscalls to evade userland hooks commonly used by EDR solutions. In parallel, it tampers with ETW providers to degrade telemetry visibility.

Attendees will gain a deep understanding of how modern EDR killers are engineered, including their use of undocumented APIs, kernel object manipulation, and advanced obfuscation strategies. The talk will bridge low-level reverse engineering insights with practical detection opportunities, highlighting weaknesses in current defensive models and offering concrete ideas for improving resilience against malware that targets the defenders themselves. The race is on.