endpoint detection Archives

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Tech Optimizer

December 30, 2025

Hackers Advertised VOID ‘AV Killer’ with Kernel-level Termination Claims

A new threat actor named Crypt4You is promoting a tool called VOID KILLER on underground forums and dark web marketplaces. VOID KILLER is designed as a kernel-level antivirus and endpoint detection response process killer, specifically engineered to bypass existing security defenses. It targets the core of operating systems to dismantle protective barriers, posing a significant challenge to contemporary defensive architectures. VOID KILLER can terminate Windows Defender and around fifty consumer-grade antivirus solutions without detection, utilizing polymorphic build techniques to evade signature-based detection systems. It features automatic User Account Control (UAC) bypass mechanisms and can inject any executable file, making it compatible with various malware families. Custom builds of VOID KILLER are priced at three hundred dollars, and payment is accepted in cryptocurrencies. Organizations using Windows Defender, consumer antivirus software, and advanced EDR solutions face increased risk exposure due to this tool.

Tech Optimizer

December 28, 2025

Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass

A malicious entity named AlphaGhoul has introduced a tool called NtKiller, designed to disable antivirus software and endpoint detection systems, posing a threat to organizations using traditional security measures. NtKiller was advertised on an underground forum, claiming to allow attackers to operate undetected while executing malware. It reportedly circumvents security programs like Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro, and can bypass enterprise-grade Endpoint Detection and Response solutions in aggressive modes. Analysts from KrakenLabs noted that NtKiller uses early-boot persistence mechanisms to evade detection and operates on a modular pricing structure, with core functionality available for [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A malicious entity known as AlphaGhoul has recently surfaced within the cybercriminal underworld, promoting a tool dubbed NtKiller. This tool is engineered to discreetly disable antivirus software and endpoint detection systems, posing a new threat to organizations that rely on traditional security measures. NtKiller was unveiled on an underground forum frequented by individuals seeking to buy and sell hacking services. The advertisement claims that this tool enables attackers to operate undetected while executing their malware on compromised machines. The introduction of NtKiller signifies a formidable challenge for businesses that depend on established security solutions. According to the threat actor, the tool is capable of circumventing several widely-used security programs, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. Alarmingly, it is also said to bypass enterprise-grade Endpoint Detection and Response (EDR) solutions when utilized in aggressive modes. Analysts from KrakenLabs have observed that NtKiller employs early-boot persistence mechanisms, allowing it to remain concealed and evade detection by security teams once activated. This stealthy approach complicates efforts to identify and eliminate the malware. Further investigation by KrakenLabs revealed that NtKiller operates on a modular pricing structure. The core functionality is available for 0, with additional features such as rootkit capability and User Account Control (UAC) bypass each priced at an extra 0. This pricing model indicates that the tool has been meticulously crafted for commercial distribution within the cybercriminal ecosystem. Beyond merely terminating processes, NtKiller is purported to support advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Technical capabilities The technical features attributed to NtKiller render it particularly perilous in the hands of adept attackers. The tool's early-boot persistence mechanism allows it to embed itself during system startup, prior to the activation of many security monitoring systems. This timing advantage facilitates the execution of malicious payloads in an environment where detection capabilities are significantly diminished. Moreover, the anti-debugging and anti-analysis protections embedded within NtKiller hinder researchers and automated tools from scrutinizing the malware's behavior, resulting in a substantial knowledge gap regarding its true capabilities versus its promotional claims. Another critical feature is the silent UAC bypass option, which enables malware to acquire elevated system privileges without triggering standard Windows prompts that could alert users to suspicious activities. When combined with rootkit functionality, this allows attackers to maintain persistent access to compromised systems while remaining undetected by conventional security measures. It is essential to highlight that these capabilities have yet to be independently verified by third-party researchers, leaving the actual effectiveness of NtKiller uncertain. Organizations are urged to remain vigilant and ensure their security tools incorporate behavioral detection mechanisms that extend beyond signature-based identification to effectively combat such emerging threats. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and additional features priced at 0 each. The tool supports advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Its silent User Account Control bypass option allows malware to gain elevated privileges without alerting users. The effectiveness of NtKiller's capabilities has not been independently verified, prompting organizations to enhance their security measures beyond signature-based detection.

Tech Optimizer

December 24, 2025

Antivirus vs Endpoint Security in 2025: Which Protection Do You Really Need?

In 2025, users must choose between traditional antivirus software and modern endpoint security solutions for their digital safety. Antivirus software has evolved to include machine learning and cloud-based threat analysis, effectively combating various malware types but primarily protects individual devices. It is user-friendly and suitable for casual users but struggles against sophisticated attacks and lacks centralized management. Endpoint security, on the other hand, secures all network-connected devices and employs advanced technologies like AI-driven threat detection and real-time behavioral analytics. It offers proactive monitoring and automated threat responses, making it essential for businesses and professionals handling sensitive information. Endpoint security provides centralized management and a broader range of protections but is typically more expensive and may require technical expertise to set up. The choice between the two solutions depends on individual needs: casual users may prefer antivirus software, while professionals and businesses benefit from the comprehensive protection of endpoint security. As cyber threats become more complex, endpoint security is becoming the standard due to its proactive and automated defense capabilities.

Tech Optimizer

December 18, 2025

Chinese hackers fake Teams downloads in false flag ploy

A cybersecurity investigation by ReliaQuest has revealed that a Chinese state-linked hacking group, Silver Fox (also known as Void Arachne), is using search engine optimization tactics to create a counterfeit Microsoft Teams download site at "teamscn[.]com." This site targets Chinese-speaking users and employs a typo-squatting strategy. Victims attempting to download the software receive a trojanized installer labeled "Setup.exe," which checks for the presence of antivirus software and executes obfuscated PowerShell commands to modify Windows Defender exclusion lists. The malware also drops a file named "Verifier.exe" and installs a functional version of Microsoft Teams to disguise its activities. The compromised system communicates with the domain "Ntpckj[.]com" to deliver the ValleyRAT payload, allowing remote access for data exfiltration and command execution. Silver Fox is linked to both state-sponsored espionage and financially motivated activities, having previously conducted similar SEO poisoning campaigns. The campaign primarily targets Chinese-speaking personnel in global organizations, particularly those with ties to China, and poses a significant risk to organizations lacking robust security measures. Security teams are advised to enhance logging and monitoring practices to detect suspicious activities.

Tech Optimizer

December 12, 2025

The digital impersonators: How cybercriminals hijack your brand to launch malvertising attacks

Brand trust is highly valued by consumers, leading cybercriminals to exploit it through malvertising, which embeds malicious code in legitimate ads. Malvertising can redirect users to phishing sites or download malware. Cybercriminals create fake ads that mimic trusted brands, targeting high-traffic moments and using real-time bidding to distribute these ads on reputable sites. The process involves setting up fake accounts, creating convincing ads, purchasing ad space, and delivering malware through exploit kits. The consequences include identity theft and financial loss for consumers, and reputational damage for brands. To protect against these threats, organizations should implement regular software updates, continuous employee training, protective tools, and consider partnering with managed service providers for enhanced security measures.

Tech Optimizer

December 9, 2025

Warning! Engineered Linux Malware Can Bypass Next-Gen Anti-Virus Solutions – Open Source For You

The author created a custom reverse TCP payload using Python, packaged it into an .elf executable, and tested its stealthiness against antivirus software. The payload included functionalities such as webcam snapshots, keylogging, screen capture, and file transfers. Established tools for obfuscation often triggered antivirus alerts, prompting the author to develop a custom solution to avoid signature-based detection, maintain behavioral control, and gain insights into detection engines. The payload was designed to connect back to the attacker's machine and execute commands, while the listener processed incoming data. After compiling the binary, it was submitted to VirusTotal, where only four out of 64 antivirus engines flagged it, indicating that custom code can bypass many next-gen antivirus products.

Tech Optimizer

December 4, 2025

Cyber security essentials with WSA partner PureCyber

Cyber security is crucial for organizations in the sport and leisure sector to protect digital assets from hackers and cybercriminals. Neglecting cyber security can lead to financial losses, reputational damage, operational disruptions, and legal issues. Key practices for enhancing cyber security include keeping software updated, using strong passwords, training employees, and employing firewalls and antivirus solutions. The Welsh Sports Association (WSA) has partnered with PureCyber to offer a subscription service called Foundations, which provides various cyber security benefits such as incident response, phishing simulations, endpoint detection and response, dark web monitoring, employee training, Microsoft 365 protection, and vulnerability management. WSA members can access this service at preferential rates, and a Lunchtime Learning session will be held to improve skills within member organizations. Interested parties can contact Maria Lopez for more information on the subscription.

Winsage

November 25, 2025

New ClickFix attacks use fake Windows Updates to swipe creds

A surge in ClickFix attacks is occurring, where attackers use deceptive Windows update screens to trick users into downloading infostealer malware. This method has become the primary means of initial access for cybercriminals, as reported by Microsoft. State-sponsored actors and organized crime groups are increasingly using this tactic. Huntress security experts have noted a shift from traditional prompts to convincing fake Windows update screens, showcasing the attackers' adaptability. Cyber adversaries are utilizing a steganographic loader to deliver infostealing malware like Rhadamanthys, encoding malicious code within PNG images to evade detection. Between September 29 and October 30, 2025, Huntress investigated 76 incidents linked to this campaign across various regions, with one incident involving the IP address 141.98.80[.]175. Victims typically visit a malicious site that triggers a full-screen blue Windows Update screen, leading them to install a “critical security update” through a series of commands. This process involves executing a command that runs PowerShell code to deploy a steganographic loader, ultimately leading to the installation of Rhadamanthys, which captures login credentials. Comments in the lure site's source code are in Russian, suggesting the attackers' identity remains unknown. As of November 19, multiple domains continue to host the lure page, although the payload is no longer actively hosted. Organizations can defend against these attacks by blocking access to the Windows Run box and educating employees about the ClickFix technique.