Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Crowdstrike 320×100
970x120
A $500 Tool Claims to Kill EDRs at Kernel Level: Inside the NtKiller Underground Ad

A $500 Tool Claims to Kill EDRs at Kernel Level: Inside the NtKiller Underground Ad

25 December 2025 11:33

An ad has surfaced on a closed underground forum frequented by malware operators and initial access brokers, attracting the attention of the cyber threat intelligence community. The post promotes “NtKiller,” a supposed “kernel-level” utility designed to silently disable antivirus and EDR , with explicit references to rootkits , advanced persistence , and zero-day UAC bypass .

The stated price is $500 , with direct contact via Telegram and a list of “supported” security solutions that includes leading names: Windows Defender, ESET, Kaspersky, Bitdefender, Malwarebytes and others .

A proposal that, if authentic, falls into the high-end category of cybercrime-as-a-service.

Disclaimer: This report includes screenshots and/or text from publicly available sources. The information provided is for threat intelligence and cybersecurity risk awareness purposes only. Red Hot Cyber condemns any unauthorized access, improper dissemination, or misuse of this data. It is currently not possible to independently verify the authenticity of the information reported, as the organization involved has not yet released an official statement on its website. Therefore, this article should be considered for informational and intelligence purposes only.

What are EDRs?

EDRs (Endpoint Detection and Response) are advanced security solutions designed to go beyond traditional antivirus. Their job is not only to block malicious files, but also to constantly monitor system behavior .

In summary, an EDR:

  • collects continuous telemetry from endpoints;
  • analyzes processes, system calls, drivers and memory ;
  • correlate suspicious events over time;
  • enables active response , such as system isolation or process termination.

Unlike classic AVs, many EDRs operate at the kernel level , making them more difficult to disable by malicious code running in user-mode.

Why EDRs are a primary focus

In modern cybercrime, especially in the context of ransomware and targeted intrusions , the first step after initial access is almost always the neutralization of defenses . An active EDR:

  • record the attacker’s actions;
  • can generate alerts in real time;
  • can interrupt the attack chain before the final phase.

For this reason, the ability to “blind” or silently disable EDRs has become a market value in underground forums.

How EDRs are bypassed (conceptual level)

Posts like the one on NtKiller reference theoretically known techniques, already observed in advanced APT and ransomware campaigns. These aren’t “magical” exploits, but rather deep abuses of the operating system architecture .

Among the macro-categories of bypass commonly discussed in underground circuits:

  1. Kernel level abuse
    Raising malicious code to the same privilege level as EDR dramatically reduces defense capability. At this level, controls become a “fight between equals.”
  2. Driver manipulation
    The use (or abuse) of signed vulnerable drivers is a historically observed technique for gaining privileged operations without direct kernel exploits.
  3. Indirect deactivation
    Instead of “killing” EDR, some malware aims to:
    • degrade its visibility;
    • interfere with telemetry;
    • block logging or communication components.
  4. Invisible persistence
    Rootkits and early launch mechanisms allow malware to load before security solutions.
  5. Bypassing the elevation controls
    References to UAC bypass indicate techniques for gaining elevated privileges without alerting the user , often by exploiting implicit trust in system components.

Underground marketing and operational reality

It should be noted that not all advertisements on underground forums correspond to truly effective tools . Many are:

  • rebranding of already known tools;
  • proof-of-concept sold as “weapon-grade”;
  • real scams within the criminal world.

Posts like this confirm that:

  • EDRs remain central to defense;
  • the kernel has become a battlefield;
  • Endpoint security must be complemented by behavioral monitoring, driver model hardening, and proactive threat hunting .

For defenders, observing these forums is not about “learning to attack,” but about understanding how the adversary thinks , what promises are being sold, and what capabilities are considered “valuable” in the cybercriminal underworld.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

  • #cybercrime
  • #cybersecurity
  • antivirus evasion
  • edr
  • EDR bypass
  • kernel-level tool
  • Malware
  • NtKiller
  • threat intelligence
  • underground forum
Immagine del sito
Redazione

The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.