A new and sophisticated defensive evasion tool dubbed “NtKiller” has surfaced on underground cybercrime forums, marketed by a threat actor known as “AlphaGhoul.”
The utility is being aggressively promoted as a high-end solution for stealthily terminating antivirus (AV) and Endpoint Detection and Response (EDR) agents, potentially lowering the barrier for ransomware operators and initial access brokers to bypass enterprise defenses.
The advertisement, which appeared this week on a prominent exploit forum, positions NtKiller not just as a simple process killer, but as a comprehensive “defensive bypass enabler.”
AlphaGhoul claims the tool can silence security products without triggering alerts, a capability that is highly sought after in the cybercriminal ecosystem.
Most notably, the actor asserts that NtKiller supports HVCI (Hypervisor-Protected Code Integrity), VBS (Virtualization-based Security), and Memory Integrity.
These are critical Windows security features designed to isolate sensitive system processes and prevent malicious code from running in the kernel.
If these claims are accurate, it suggests NtKiller may employ advanced techniques such as Bring Your Own Vulnerable Driver BYOVD attacks to gain kernel-level privileges and disable these protections from the inside.
“Targets are terminated at launch, so your payload remains undetected,” the advertisement states, highlighting an early-boot persistence mechanism.
This feature implies the tool loads early in the OS boot sequence, potentially neutralizing EDR sensors before they can fully initialize.
Modular Pricing and Features
NtKiller is being sold with a modular pricing structure, allowing buyers to customize their attack capabilities:
- Core NtKiller ($500): The base version includes the silent termination of “default” solutions (listed as Microsoft Defender, ESET, Kaspersky, Bitdefender, Trend Micro, and others), support for VBS/HVCI environments, and anti-debugging protections to frustrate security researchers.
- NtKiller Rootkit ($300): An add-on likely designed to hide the malware’s own processes, files, and registry keys from the operating system, ensuring long-term stealth.
- Silent UAC Bypass ($300): An optional module to bypass User Account Control prompts silently, facilitating privilege escalation without alerting the victim.
The total package cost of $1,100 places it in the mid-to-high tier for such utilities, suggesting the author targets serious criminal affiliates rather than “script kiddies.”
Unverified but Dangerous
While the claims made by AlphaGhoul are alarming, they have not yet been independently verified by third-party security researchers. It is common for forum sellers to exaggerate capabilities to drive sales.
However, the specificity of the feature set particularly the references to bypassing VBS and Memory Integrity warrants close attention from the defensive community.
If functional, tools like NtKiller represent a significant threat to organizations relying solely on endpoint agents for protection.
Security teams are advised to monitor for indicators of driver-based attacks, such as the installation of known vulnerable drivers or unexpected service terminations, which often precede the deployment of such evasion tools.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.