A malicious actor known as AlphaGhoul has begun promoting a tool called NtKiller, designed to silently shut down antivirus software and endpoint detection tools.<\/p>\n
The tool was posted on an underground forum where criminals gather to buy and sell hacking services. According to the advertisement, NtKiller can help attackers avoid detection while running their malware on infected computers.<\/p>\n
The emergence of NtKiller represents a significant challenge for organizations relying on traditional security tools<\/a>.<\/p>\n The threat actor claims that the tool can work against many popular security solutions, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro.<\/p>\n More concerning is the assertion that it can bypass enterprise-grade EDR solutions<\/a> when running in aggressive modes. KrakenLabs analysts noted the malware\u2019s ability to remain hidden through early-boot persistence mechanisms, making it exceptionally difficult for security teams to detect and remove once activated.<\/p>\n KrakenLabs researchers identified<\/a> that NtKiller operates through a modular pricing structure, with the core functionality priced at $500, while additional features like rootkit capability and UAC bypass each cost an extra $300.<\/p>\n This pricing model suggests the tool has been refined for commercial sale within the cybercriminal community.<\/p>\n The tool\u2019s claimed capabilities extend beyond simple process termination, including support for advanced evasion techniques like HVCI disabling, VBS manipulation, and memory integrity circumvention.<\/p>\n The technical capabilities attributed to NtKiller make it particularly dangerous in the hands of experienced attackers.<\/p>\n The tool\u2019s early-boot persistence mechanism works by establishing itself during system startup, before many security monitoring systems fully activate.<\/p>\n This timing advantage allows malicious payloads to execute in an environment where detection is minimal.<\/p>\n Additionally, the anti-debugging and anti-analysis protections prevent researchers and automated tools<\/a> from examining the malware\u2019s behavior, creating a significant knowledge gap about its actual capabilities versus marketing claims.<\/p>\n The silent UAC bypass option represents another critical technical feature. User Account Control bypass allows malware to gain elevated system privileges without triggering standard Windows prompts that might alert users to suspicious activity.<\/p>\n Combined with rootkit functionality, attackers could maintain persistent access to compromised systems<\/a> while remaining invisible to standard security monitoring.<\/p>\n It is important to note that these capabilities have not been independently verified by third-party researchers, and the actual effectiveness of NtKiller remains unclear.<\/p>\n Organizations should maintain vigilance and ensure their security tools include behavioral detection capabilities beyond signature-based identification to counter such emerging threats.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical capabilities<\/strong><\/h2>\n
![\"Key](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi-o_-oVYNdQl20cXXyzguD3QPQLFSHXWx4lTV1CDi33TufB5hIcSDD_E5gP95l6oY_tymvpgrB5c7rjCSRfM3Do2BJ5LIZpFmzJc1XDCO3qAyH8CIv4ySxIrFqJJsBocAuTiWiDEdd5QU9f0o7t5z8y7BM86HN4Br8sBAQkOrUU7zbxUNhqQhcDxuw-4E\/s16000\/Key%2520details%2520%28Source%2520-%2520X%29.webp?ssl=1\")