A malicious actor known as AlphaGhoul has begun promoting a tool called NtKiller, designed to silently shut down antivirus software and endpoint detection tools.
The tool was posted on an underground forum where criminals gather to buy and sell hacking services. According to the advertisement, NtKiller can help attackers avoid detection while running their malware on infected computers.
The emergence of NtKiller represents a significant challenge for organizations relying on traditional security tools.
The threat actor claims that the tool can work against many popular security solutions, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro.
More concerning is the assertion that it can bypass enterprise-grade EDR solutions when running in aggressive modes. KrakenLabs analysts noted the malware’s ability to remain hidden through early-boot persistence mechanisms, making it exceptionally difficult for security teams to detect and remove once activated.
KrakenLabs researchers identified that NtKiller operates through a modular pricing structure, with the core functionality priced at $500, while additional features like rootkit capability and UAC bypass each cost an extra $300.
This pricing model suggests the tool has been refined for commercial sale within the cybercriminal community.
The tool’s claimed capabilities extend beyond simple process termination, including support for advanced evasion techniques like HVCI disabling, VBS manipulation, and memory integrity circumvention.
Technical capabilities
The technical capabilities attributed to NtKiller make it particularly dangerous in the hands of experienced attackers.
.webp "Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass 3")
The tool’s early-boot persistence mechanism works by establishing itself during system startup, before many security monitoring systems fully activate.
This timing advantage allows malicious payloads to execute in an environment where detection is minimal.
Additionally, the anti-debugging and anti-analysis protections prevent researchers and automated tools from examining the malware’s behavior, creating a significant knowledge gap about its actual capabilities versus marketing claims.
The silent UAC bypass option represents another critical technical feature. User Account Control bypass allows malware to gain elevated system privileges without triggering standard Windows prompts that might alert users to suspicious activity.
Combined with rootkit functionality, attackers could maintain persistent access to compromised systems while remaining invisible to standard security monitoring.
It is important to note that these capabilities have not been independently verified by third-party researchers, and the actual effectiveness of NtKiller remains unclear.
Organizations should maintain vigilance and ensure their security tools include behavioral detection capabilities beyond signature-based identification to counter such emerging threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
