A threat actor operating under the handle Crypt4You has begun advertising a sophisticated new offensive tool on underground cybercrime forums, marketed as a “kernel-level” security neutralization utility.
Dubbed VOID KILLER, the malware is designed explicitly to terminate antivirus (AV) and Endpoint Detection and Response (EDR) processes, positioning itself as a more aggressive alternative to traditional “crypters” that merely hide malicious code.
For years, cybercriminals have relied on “crypters” tools that obfuscate malware code to bypass static analysis and signature-based detection.
However, modern behavioral analysis and cloud-based heuristics often catch these payloads once they begin executing.
VOID KILLER represents a shift in tactics: rather than trying to hide from the antivirus, the tool attempts to kill the antivirus process entirely before it can trigger an alert.
According to advertisements monitored by threat intelligence researchers, the actor claims VOID KILLER can instantly terminate Windows Defender and over 50 other consumer antivirus products.
The seller boasts a “0 detection” rate for both scantime (when the file is sitting on the disk) and runtime (when the file is executed), a claim that, if true, suggests the use of advanced obfuscation or legitimate driver abuse.
Kernel-Level Capabilities and Claims
The most alarming feature of VOID KILLER is its alleged “kernel-level” termination capability. In the Windows operating system, the “kernel” is the core component that has complete control over everything in the system.
Most consumer applications run in “user mode” with restricted privileges. Security software, however, utilizes kernel-mode drivers to protect itself from being disabled by malware.
By claiming “kernel-level” termination, the developers of VOID KILLER are implying they have found a way to operate with the highest possible privileges likely through a technique known as Bring Your Own Vulnerable Driver (BYOVD).
However, the explicit targeting of EDR processes mirrors verified trends seen in high-profile ransomware attacks, where threat actors use specialized tools (like “Terminator” or “AuKill”) to blind defenders before encrypting networks.
This method involves deploying a legitimate, digitally signed driver that contains known vulnerabilities, which the malware then exploits to gain kernel access and turn off security protections like Microsoft’s Anti-Malware Light-Weight Filter (AM-PPL).
Features and Pricing
The advertisement details a suite of features designed for intermediate-to-advanced threat actors:
- Polymorphic Builds: The tool reportedly generates a “fresh hash” for each build, changing its digital fingerprint to evade signature-based blocklists.
- Auto UAC Bypass: It claims to automatically bypass User Account Control, allowing it to elevate privileges without alerting the victim.
- Payload Agnostic: The killer acts as a wrapper or dropper, meaning it can be used to deliver any type of malicious executable, from ransomware to infostealers.
The tool is currently being sold for $300 per custom build, payable in cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), and Monero (XMR).
Notably, the seller offers enterprise-grade EDR/XDR termination specifically mentioning industry leaders like CrowdStrike and SentinelOne as a separate, presumably more expensive, premium service.
While the threat actor has shared a demo video purportedly showing the tool in action, security experts urge caution.
Claims of “0 detection” are common in the cybercrime underground and are often exaggerated to scam lower-level criminals.
As this tool enters the market, organizations are advised to monitor for attempts to load vulnerable drivers and ensure their endpoint protection platforms have tamper protection enabled to resist process termination attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.