The Silence of the Scans: New NtKiller Utility Disables Antivirus at the Root

A new commodity has surfaced on underground forums for those seeking to operate more quietly—and for longer. An actor using the alias AlphaGhoul has begun promoting a utility called NtKiller, which, according to its author, can stealthily disable antivirus software and endpoint detection tools, enabling malicious payloads to run on compromised machines while evading detection.

Promotional materials claim that NtKiller operates effectively against widely used solutions, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. It is further alleged that, in aggressive modes, the tool can bypass corporate EDR platforms—an especially troubling assertion for organizations that rely on conventional defensive stacks.

Researchers at KrakenLabs have drawn attention to NtKiller’s purported ability to persist via early-boot mechanisms. The idea is straightforward: the tool embeds itself during Windows startup, before many monitoring components are fully initialized and able to observe system activity. This narrow temporal window grants attackers a cleaner execution environment in which to deploy payloads with minimal risk of detection, while making subsequent removal considerably more difficult.

According to the researchers, the utility is sold under a modular pricing model. Core functionality is listed at $500, with add-ons such as rootkit capabilities and UAC bypass offered for an additional $300 each. The pricing and packaging suggest a deliberate attempt to productize the tool as a commercial offering designed for steady sales within the criminal marketplace.

Marketing materials for NtKiller describe capabilities that go well beyond merely terminating security processes. Among the advertised techniques are evasion methods involving the disabling of HVCI, manipulation of VBS, and circumvention of memory integrity protections. The tool is also said to incorporate anti-debugging and anti-analysis measures, complicating both manual investigation and automated scrutiny—widening the gap between marketing claims and verifiable behavior.

Another particularly dangerous feature touted in the advertisements is a “silent” UAC bypass, purportedly granting elevated privileges without triggering the familiar Windows prompts that might alert users. When combined with rootkit functionality, this could allow attackers to maintain long-term access with minimal visibility to standard monitoring solutions.

At the same time, it bears emphasizing that these claims have not yet been independently validated by third-party researchers, and NtKiller’s real-world effectiveness remains uncertain. Against this backdrop, organizations are advised to remain vigilant and to rely not solely on signature-based defenses, but also on behavioral detection mechanisms capable of responding to attempts to suppress security controls and establish covert persistence within systems.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy