Malware

Mebroot

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Persistence

2 techniques

T1542Pre-OS BootEvidence2

Windows bootkits gained notice in the early 2000s as proofs of concept developed by researchers of offensive security. BootRoot, a bootkit demonstrated at the 2005 Black Hat security conference, is likely the first such instance.

T1542.003BootkitEvidence2

Secure Boot checks the digital signatures of all code that loads during system startup to ensure it originates from a trusted provider... Secure Boot is designed to thwart bootkits, a form of malware that alters the systems responsible for loading firmware and software during the initial boot sequence.

Stealth

3 techniques

T1014RootkitEvidence1

Torpig circumvents antivirus software through the use of rootkit technology...

T1542Pre-OS BootEvidence2

T1542.003BootkitEvidence2

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

wired com securityNews

Jun 21, 2026

A Critical Deadline Is Approaching for Windows and Linux Security | WIRED

A named bootkit cited among early bootkit examples following initial proof-of-concept work.

arstechnica securityNews

Jun 17, 2026

Windows and Linux users: The deadline to update Secure Boot keys is near - Ars Technica

A named bootkit referenced in the historical progression of bootkit malware.

wikipedia enNews

Jul 25, 2015

Torpig - Wikipedia

A rootkit used to compromise systems and facilitate the spread of Torpig by infecting the Master Boot Record.

wikipedia cyber incidentsNews

Feb 24, 2009

Cameron LaCroix - Wikipedia

2007 Alureon BlackEnergy Clampi Mebroot Storm ZeuS

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.