MoonBounce

MoonBounce is a UEFI firmware implant/rootkit embedded in SPI flash on a victim motherboard. It was discovered by Kaspersky in late 2021 and is described as the third publicly known malicious SPI-flash UEFI implant after LoJax and MosaicRegressor. The implant tampers with the UEFI CORE_DXE/DXE Foundation component, intercepts the normal boot execution flow, and introduces a sophisticated, largely memory-only infection chain that preserves the normal boot sequence while leaving no disk artifacts. Reported behavior includes inline hooking of EFI Boot Services functions such as AllocatePool, CreateEventEx, and ExitBootServices, hooking later boot components including the Windows loader, introducing a malicious driver into Windows kernel memory, and injecting user-mode malware into svchost.exe.

MoonBounce is designed to deploy additional malware on the compromised system and to provide stealth and persistence. Because it resides in SPI flash, it can survive hard-disk formatting, disk replacement, and operating system reinstallation. Kaspersky reported that the user-mode stager contacted the hardcoded URL hxxp://mb.glbaitech[.]com/mboard.dll to retrieve an additional in-memory payload. Related infrastructure and malware observed in the same victim environment included ScrambleCross/SideWalk and loaders such as StealthVector and StealthMutant; Kaspersky also noted a distinctive self-signed SSL certificate and overlapping infrastructure including mb.glbaitech[.]com, ns.glbaitech[.]com, 188.166.61[.]146, 172.107.231[.]236, 193.29.57[.]161, 136.244.100[.]127, 217.69.10[.]104, and 92.38.178[.]246.

Kaspersky attributed MoonBounce with medium-to-high confidence, and elsewhere with high confidence, to the Chinese-speaking threat actor APT41, also known as Winnti. The broader intrusion activity associated with the campaign included host and network discovery, lateral movement via PsExec and WMI, attempted Active Directory database dumping with ntdsutil IFM, archiving with rar.exe, and cleanup of artifacts in %temp%, consistent with long-term espionage objectives. The initial infection vector for the firmware compromise was not determined; Kaspersky assumed remote infection and noted that successful deployment would require the ability to write to firmware, potentially via firmware vulnerabilities or platform configurations permitting such writes.

MoonBounce is repeatedly cited in reporting as a highly privileged UEFI bootkit/firmware threat alongside LoJax, MosaicRegressor, FinSpy, ESpecter, and BlackLotus. Kaspersky stated that classic Secure Boot would not stop MoonBounce because it does not authenticate firmware-level components and because MoonBounce patches in-memory images after they are loaded rather than bypassing Secure Boot directly. Intel Boot Guard and TPM-based integrity mechanisms were cited as defenses that could have countered the firmware-level modifications.