Contacts
+359 875 32 80 30
Book a Meet
Close

Contacts

Bulgaria, Kavarna
Saudi Arabia, Riyadh

+359 875 328030

sales@diamatix.com

Call us: +359 875 32 80 30
Scan for Breaches
Сканирай за пробиви
Book a Meet
Book a Meet

Threat Actors Advertised NtKiller Malware on Dark Web, Claiming Antivirus and EDR Bypass

2152004086 (1)
December 25, 2025
Pavlina Nikolova
News

Threat Actors Advertised NtKiller Malware on Dark Web, Claiming Antivirus and EDR Bypass

In late December 2025, underground cybercrime forums began advertising a tool known as NtKiller, promoted as a utility capable of disabling antivirus software and enterprise Endpoint Detection and Response (EDR) platforms.

The tool is advertised by a threat actor using the alias AlphaGhoul and is positioned as an auxiliary component that helps other malware operate undetected on compromised systems.

Claims made in underground advertisements

According to forum posts, NtKiller is marketed as a commercially available tool with modular functionality. The advertised capabilities include terminating processes associated with well-known antivirus and EDR solutions, as well as optional modules for more advanced evasion techniques.

Additional claims include:

  • early-boot persistence mechanisms;

  • silent User Account Control (UAC) bypass;

  • anti-analysis and anti-debugging protections;

  • techniques aimed at bypassing memory integrity and virtualization-based security features.

The pricing model described in the advertisements suggests that the tool is intended for resale and repeated use within the cybercriminal ecosystem.

What remains unverified

At the time of writing, no independent technical analysis has publicly confirmed that NtKiller performs as advertised. There are also no confirmed reports of real-world attacks in which the tool has been conclusively identified.

As is common in dark web marketplaces, such advertisements may contain exaggerated or unverified claims designed to attract buyers.

DIAMATIX Perspective

Tools designed to disable or evade security controls reflect a broader trend in attacker behavior. Even when specific tools are not fully validated, their appearance signals continued investment in evasion capabilities.

Defending against this class of threats requires:

  • behavior-based detection rather than reliance on signatures alone;

  • continuous monitoring and event correlation;

  • 24×7 SOC and MDR operations;

  • visibility into early execution stages and evasion attempts.

Sources:

  • CybersecurityNews – Threat Actors Advertised NtKiller Malware on Dark Web

  • CyberPress – NtKiller Malware Promoted on Underground Forums

  • GBHackers – Dark Web Threat Actors Advertise NtKiller Malware

Contact DIAMATIX

Trusted · Innovative · Vigilant

Subscribe for latest updates & insights

Please enable JavaScript in your browser to complete this form.

By Pavlina Nikolova
AI Strategy and Consulting

Provide expert guidance on developing an AI strategy

Recent comments
No comments to show.
January 2026
M T W T F S S
 1234
567891011
12131415161718
19202122232425
262728293031