Antivirus killing tool poses growing cybersecurity threat

Cybersecurity researchers have uncovered a new and dangerous antivirus-killing tool that hackers are using to disable security software before launching ransomware attacks. This tactic allows cybercriminals to bypass defenses, making it easier to deploy malicious payloads. The latest discovery involves a customized version of the open-source RealBlindingEDR tool, which targets well-known antivirus solutions and even uninstalls them in some cases. With threats evolving, understanding how these tools work is essential for staying protected.

How the antivirus killing tool works

The newly discovered tool contains a hardcoded list of major antivirus vendors, including Trend Micro, Kaspersky, Sophos, and McAfee. Once deployed, it searches for antivirus drivers and disables kernel-level hooks and callbacks, effectively blinding detection engines. In some cases, the tool goes further, silently uninstalling security programs entirely. This method creates a clear path for stage-two malware, making it a preferred tactic for advanced cybercriminal groups.

The ransomware connection

Researchers linked the tool’s usage to Crypto24, a relatively new ransomware group first spotted in September 2024. This group has been observed deploying the antivirus killing tool before encrypting systems, ensuring their ransomware can operate without interference. By neutralizing security software, Crypto24 significantly increases the likelihood of successful attacks, which can lead to data breaches, financial losses, and operational downtime for victims.

Protecting against antivirus killing tools

A layered cybersecurity strategy remains the best defense. This includes keeping software up to date, using endpoint protection alongside intrusion detection systems, and implementing network segmentation. Organizations should also train employees to recognize phishing attempts, as many ransomware campaigns begin with social engineering. Regular backups stored offline can be a crucial recovery measure if defenses fail. With the rise of tools designed to dismantle antivirus protection, proactive security measures are more critical than ever.