EDR Archives

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Tech Optimizer

December 30, 2025

Hackers Advertised VOID ‘AV Killer’ with Kernel-level Termination Claims

A new threat actor named Crypt4You is promoting a tool called VOID KILLER on underground forums and dark web marketplaces. VOID KILLER is designed as a kernel-level antivirus and endpoint detection response process killer, specifically engineered to bypass existing security defenses. It targets the core of operating systems to dismantle protective barriers, posing a significant challenge to contemporary defensive architectures. VOID KILLER can terminate Windows Defender and around fifty consumer-grade antivirus solutions without detection, utilizing polymorphic build techniques to evade signature-based detection systems. It features automatic User Account Control (UAC) bypass mechanisms and can inject any executable file, making it compatible with various malware families. Custom builds of VOID KILLER are priced at three hundred dollars, and payment is accepted in cryptocurrencies. Organizations using Windows Defender, consumer antivirus software, and advanced EDR solutions face increased risk exposure due to this tool.

Tech Optimizer

December 28, 2025

Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass

A malicious entity named AlphaGhoul has introduced a tool called NtKiller, designed to disable antivirus software and endpoint detection systems, posing a threat to organizations using traditional security measures. NtKiller was advertised on an underground forum, claiming to allow attackers to operate undetected while executing malware. It reportedly circumvents security programs like Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro, and can bypass enterprise-grade Endpoint Detection and Response solutions in aggressive modes. Analysts from KrakenLabs noted that NtKiller uses early-boot persistence mechanisms to evade detection and operates on a modular pricing structure, with core functionality available for [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A malicious entity known as AlphaGhoul has recently surfaced within the cybercriminal underworld, promoting a tool dubbed NtKiller. This tool is engineered to discreetly disable antivirus software and endpoint detection systems, posing a new threat to organizations that rely on traditional security measures. NtKiller was unveiled on an underground forum frequented by individuals seeking to buy and sell hacking services. The advertisement claims that this tool enables attackers to operate undetected while executing their malware on compromised machines. The introduction of NtKiller signifies a formidable challenge for businesses that depend on established security solutions. According to the threat actor, the tool is capable of circumventing several widely-used security programs, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. Alarmingly, it is also said to bypass enterprise-grade Endpoint Detection and Response (EDR) solutions when utilized in aggressive modes. Analysts from KrakenLabs have observed that NtKiller employs early-boot persistence mechanisms, allowing it to remain concealed and evade detection by security teams once activated. This stealthy approach complicates efforts to identify and eliminate the malware. Further investigation by KrakenLabs revealed that NtKiller operates on a modular pricing structure. The core functionality is available for 0, with additional features such as rootkit capability and User Account Control (UAC) bypass each priced at an extra 0. This pricing model indicates that the tool has been meticulously crafted for commercial distribution within the cybercriminal ecosystem. Beyond merely terminating processes, NtKiller is purported to support advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Technical capabilities The technical features attributed to NtKiller render it particularly perilous in the hands of adept attackers. The tool's early-boot persistence mechanism allows it to embed itself during system startup, prior to the activation of many security monitoring systems. This timing advantage facilitates the execution of malicious payloads in an environment where detection capabilities are significantly diminished. Moreover, the anti-debugging and anti-analysis protections embedded within NtKiller hinder researchers and automated tools from scrutinizing the malware's behavior, resulting in a substantial knowledge gap regarding its true capabilities versus its promotional claims. Another critical feature is the silent UAC bypass option, which enables malware to acquire elevated system privileges without triggering standard Windows prompts that could alert users to suspicious activities. When combined with rootkit functionality, this allows attackers to maintain persistent access to compromised systems while remaining undetected by conventional security measures. It is essential to highlight that these capabilities have yet to be independently verified by third-party researchers, leaving the actual effectiveness of NtKiller uncertain. Organizations are urged to remain vigilant and ensure their security tools incorporate behavioral detection mechanisms that extend beyond signature-based identification to effectively combat such emerging threats. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and additional features priced at 0 each. The tool supports advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Its silent User Account Control bypass option allows malware to gain elevated privileges without alerting users. The effectiveness of NtKiller's capabilities has not been independently verified, prompting organizations to enhance their security measures beyond signature-based detection.

Tech Optimizer

December 24, 2025

Antivirus vs Endpoint Security in 2025: Which Protection Do You Really Need?

In 2025, users must choose between traditional antivirus software and modern endpoint security solutions for their digital safety. Antivirus software has evolved to include machine learning and cloud-based threat analysis, effectively combating various malware types but primarily protects individual devices. It is user-friendly and suitable for casual users but struggles against sophisticated attacks and lacks centralized management. Endpoint security, on the other hand, secures all network-connected devices and employs advanced technologies like AI-driven threat detection and real-time behavioral analytics. It offers proactive monitoring and automated threat responses, making it essential for businesses and professionals handling sensitive information. Endpoint security provides centralized management and a broader range of protections but is typically more expensive and may require technical expertise to set up. The choice between the two solutions depends on individual needs: casual users may prefer antivirus software, while professionals and businesses benefit from the comprehensive protection of endpoint security. As cyber threats become more complex, endpoint security is becoming the standard due to its proactive and automated defense capabilities.

Tech Optimizer

December 9, 2025

Warning! Engineered Linux Malware Can Bypass Next-Gen Anti-Virus Solutions – Open Source For You

The author created a custom reverse TCP payload using Python, packaged it into an .elf executable, and tested its stealthiness against antivirus software. The payload included functionalities such as webcam snapshots, keylogging, screen capture, and file transfers. Established tools for obfuscation often triggered antivirus alerts, prompting the author to develop a custom solution to avoid signature-based detection, maintain behavioral control, and gain insights into detection engines. The payload was designed to connect back to the attacker's machine and execute commands, while the listener processed incoming data. After compiling the binary, it was submitted to VirusTotal, where only four out of 64 antivirus engines flagged it, indicating that custom code can bypass many next-gen antivirus products.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Tech Optimizer

November 18, 2025

SilentButDeadly: New Tool Blocks Network Traffic to Bypass EDR and Antivirus

A newly released open-source tool called SilentButDeadly, developed by Ryan Framiñán and launched on November 2, 2025, can disable Endpoint Detection and Response (EDR) systems and antivirus software without terminating processes. It exploits the Windows Filtering Platform to sever cloud connectivity for security products, leaving systems vulnerable to attacks. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges, then scanning for active EDR processes like SentinelOne and Windows Defender. It establishes network filters that block communications for these security applications, preventing them from receiving updates or transmitting telemetry data. The tool also attempts to disable EDR services by changing their startup types. SilentButDeadly features dynamic, self-cleaning filters and builds on techniques from EDRSilencer, introducing enhanced operational safety. Organizations using cloud-based threat detection face risks when their security solutions lose connectivity. Security teams are advised to monitor Windows event logs for specific filter creation events and implement real-time monitoring and redundant communication channels for EDR telemetry.

Tech Optimizer

November 17, 2025

SilentButDeadly – A Network Communication Blocker That Neutralizes EDR and AV Tools

A new endpoint detection and response (EDR) evasion technique called SilentButDeadly has been identified, which exploits vulnerabilities in security software by using a network communication blocker that leverages the Windows Filtering Platform (WFP). This technique disrupts EDR and antivirus solutions' cloud connectivity without terminating processes or manipulating the kernel. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges and discovering EDR solutions like SentinelOne and Windows Defender. It establishes dynamic WFP sessions with high-priority filtering rules to block outbound telemetry and inbound command-and-control communications, preventing EDR solutions from receiving updates and executing remote management commands. Additionally, it attempts to disable EDR services, hindering automatic restarts and background monitoring. This technique highlights a significant architectural vulnerability in EDR systems that rely on network connectivity. To mitigate this threat, security teams can monitor Windows event logs for specific Event IDs related to WFP filter creation and implement real-time monitoring and redundant communication channels. SilentButDeadly requires administrator privileges and is ineffective against EDR solutions protected by kernel-level network drivers.

Tech Optimizer

November 15, 2025

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

A new malware called RONINGLOADER specifically targets Chinese users and can disable security tools. It operates as a multi-stage loader that spreads a modified version of gh0st RAT and bypasses antivirus protections. RONINGLOADER infiltrates systems through fake software installers that mimic legitimate applications like Google Chrome and Microsoft Teams. Once inside, it disables Windows Defender and Chinese security solutions such as Qihoo 360 Total Security and Huorong. The malware uses a signed driver that appears legitimate to Windows but is designed to terminate security processes. If one method of disabling security fails, RONINGLOADER has multiple fallback strategies. The Dragon Breath APT group is behind this campaign, having refined their techniques based on previous operations. The infection begins with a trojanized NSIS installer that drops components onto the victim's system. One installer deploys genuine software, while the other initiates the attack chain. RONINGLOADER creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts tp.png using XOR encryption and a rotation operation, then loads new system libraries to eliminate security hooks. It elevates privileges using the runas command and scans for active security software, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. To terminate these processes, it uses a signed driver named ollama.sys, which is digitally signed by Kunming Wuqi E-commerce Co., Ltd. This driver can terminate processes using kernel-level APIs that standard security tools cannot intercept. Additionally, RONINGLOADER blocks network connections for Qihoo 360 before injecting code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection.