Malware

PKFail

PKFail is a Secure Boot bypass threat associated with UEFI firmware misconfiguration. The provided content states that PKFail involved devices shipped with untrusted test certificates, which enabled Secure Boot bypasses. It is cited by NSA and CISA alongside BlackLotus and BootHole as an example of bootkit-related risk arising from improperly managed Secure Boot variables and trust stores. The malware/threat is relevant to enterprise environments using outdated, default, disabled, or otherwise misconfigured Secure Boot settings, including improper Platform Key (PK), Key Exchange Key (KEK), allowed database (DB), and revocation database (DBX) configurations. The content does not attribute PKFail to a specific threat actor, infection vector, or industry targeting, but places it in the context of firmware-level threats that can undermine boot integrity and persistence protections when systems are provisioned with untrusted certificates or permissive Secure Boot configurations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

Dec 15, 2025

CISA Releases Guidance for Managing UEFI Secure Boot on Enterprise Devices

PKFail refers to a class of vulnerabilities where devices are shipped with untrusted test certificates, allowing attackers to bypass UEFI Secure Boot and install persistent malware.

eclypsium blogNews

Dec 15, 2025

How to Operationalize NSA Guidance on UEFI Secure Boot at Scale

PKFail is a class of malware or attack technique that targets misconfigurations or failures in UEFI Secure Boot, allowing attackers to bypass firmware-level security and gain persistent, stealthy access to systems.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.