Cybercriminals are stepping up their game, and traditional defenses are struggling to keep pace.
A recent report from TechRadar highlights a new wave of “antivirus killer” tools, designed specifically to blind or disable security software before ransomware and other payloads are deployed.
Researchers at Trend Micro recently discovered a custom variant of the open-source tool RealBlindingEDR being used by the ransomware group Crypto24. This tool is particularly dangerous because it actively seeks out major antivirus and endpoint detection platforms such as Trend Micro, Kaspersky, Sophos, SentinelOne, Malwarebytes, McAfee, and others. Once it identifies them, it disables critical kernel-level protections or, in some cases, uninstalls the antivirus altogether.
With security tools knocked offline, attackers gain free rein to install stage-two malware. In Crypto24’s case, this often means deploying a keylogger to steal sensitive data and an encryptor to lock down systems for ransom.
For organizations across industries — finance, manufacturing, tech, and entertainment — this represents a dangerous shift. Attackers are no longer just trying to evade detection. They are actively sabotaging the very tools businesses rely on for protection. Once defenses are dismantled, it’s only a matter of time before critical systems are compromised.
Most endpoint security solutions are built on a detect and respond model. They scan for known threats, analyze suspicious behavior, and attempt to respond when something malicious is found. The challenge? If attackers can disable the detection layer before launching their payload, the “response” never comes.
As this latest discovery shows, detect and respond isn’t enough when adversaries are targeting the security stack itself.
Businesses need to shift their thinking from detect and respond to isolation and containment. Instead of trying to outpace attackers at detection, this approach prevents malware from executing in the first place. Even if attackers manage to bypass or disable detection tools, they cannot advance their attack.
This is where AppGuard stands apart. Unlike traditional solutions, AppGuard works at the kernel level to contain malicious activity automatically, without relying on signatures or alerts. Malware is stopped before it can cause damage — no detection required, no time wasted waiting for a response.
AppGuard has a 10-year proven track record protecting some of the most targeted environments, and it is now available for commercial use. By adopting AppGuard, businesses can ensure that even if attackers attempt to disable traditional defenses, their systems remain protected through containment.
Call to action:
It’s time to move beyond detect and respond. Business owners, talk with us at CHIPS about how AppGuard can prevent incidents like the one uncovered in this report. Don’t wait until your antivirus is disabled — take control with isolation and containment today.
Like this article? Please share it with others!