BootKitty Uses LogoFAIL to Install a Linux-Targeting UEFI Bootkit
Researchers previously disclosed LogoFAIL, a broad set of UEFI image-parsing flaws that can let attackers execute code during the DXE boot phase by abusing OEM logo customization paths. The vulnerabilities affect parsers for formats including BMP, GIF, PNG, JPEG, PCX, and TGA, and can be triggered from attacker-controlled sources such as the EFI System Partition, firmware update volumes, or NVRAM. Binarly reported 29 root causes, including 15 likely exploitable issues, and demonstrated arbitrary code execution on a Lenovo ThinkCentre M70s Gen 2 via an AMI PNG parser flaw. The weaknesses can bypass protections such as Secure Boot, Intel Boot Guard, AMD hardware-validated boot, and ARM TrustZone-based verification, with impact spanning firmware from major BIOS and device vendors.
Subsequent reporting said the BootKitty malware family exploited LogoFAIL to infect Linux systems, marking a notable evolution from a theoretical firmware weakness into active bootkit tradecraft. Coverage described the attack path as exceptionally difficult to detect or remove because it operates in UEFI before the operating system loads, allowing persistence below traditional endpoint defenses. The case also undercut assumptions that Linux systems are insulated from modern UEFI bootkits, showing that firmware-level compromise can survive OS reinstallations and evade both software- and hardware-based security controls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Bootkitty linked to LogoFAIL exploitation on Linux systems
Reporting indicated that the Bootkitty UEFI malware exploited LogoFAIL to infect Linux systems, connecting the previously disclosed firmware weaknesses to an in-the-wild malware use case. This marked an escalation from research disclosure to observed malicious abuse of the LogoFAIL attack path.
ESET reports first Linux-targeting UEFI bootkit, Bootkitty
ESET disclosed Bootkitty as the first known UEFI bootkit targeting Linux systems. The malware showed that Linux devices were also being targeted at the firmware level.
Student claims Bootkitty was an academic research project
An update to reporting said a student in South Korea claimed Bootkitty was developed as part of the country's Best of the Best program for academic research and was not intended for malicious use. ESET said it was in contact with the student to assess the claim, while maintaining that its technical findings about Bootkitty remained valid.
Binarly demonstrates LogoFAIL exploitation on Lenovo hardware
The researchers presented a proof-of-concept exploit against a Lenovo ThinkCentre M70s Gen 2 using an AMI PNG parser flaw to trigger heap corruption and achieve arbitrary code execution in UEFI. They said the broader ecosystem was affected, with hundreds of devices from vendors including Lenovo, Intel, and Acer exposed through logo customization features.
Binarly identifies LogoFAIL flaws in UEFI image parsers
Binarly researchers found a set of vulnerabilities dubbed LogoFAIL in UEFI image parsing libraries used during boot, identifying 29 unique root causes and determining that 15 were likely exploitable. The issues affected common image formats and could allow bypass of Secure Boot and hardware-verified boot protections across x86 and ARM systems.
Sources
5 references tracked. Mallory keeps watching after this page renders.
BootKitty UEFI malware exploits LogoFAIL to infect Linux systems
bleepingcomputer.com
Open sourceProving Linux is not a safe sanctuary, ESET finds first Linux-targeting UEFI bootkit malware - BetaNews
betanews.com
Open source'Bootkitty' Malware Can Infect a Linux Machine's Boot Process | PCMag
pcmag.com
Open sourceLogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove | Tom's Hardware
tomshardware.com
Open sourceI Blackhat Archive
i.blackhat.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Secure Boot Bypass Vulnerability in Framework Linux Laptops via Signed UEFI Shells
Researchers from Eclypsium discovered that nearly 200,000 Linux-based Framework laptops and desktops were shipped with signed UEFI shell components containing a powerful 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections. The mm command, intended for low-level diagnostics and firmware debugging, provides direct read and write access to system memory, including critical security variables such as gSecurity2. By abusing this command, an attacker can overwrite the gSecurity2 variable with NULL, effectively disabling signature verification for all subsequent UEFI module loads and breaking the Secure Boot trust chain. This vulnerability allows attackers to load bootkits such as BlackLotus, HybridPetya, and Bootkitty, which can evade operating system-level security controls and persist even after OS reinstallation. The attack can be automated using startup scripts, ensuring persistence across reboots. The issue is not the result of a supply chain compromise or malicious intent, but rather an oversight in the inclusion of diagnostic tools signed with trusted certificates. Eclypsium's research highlights that these signed UEFI shells, while legitimate, function as backdoors that undermine the security model of Secure Boot. The presence of such tools in production devices exposes users to significant risk, as attackers can leverage them for pre-OS infections, espionage, sabotage, or ransomware attacks. The gaming industry has already seen commercial cheat providers exploiting similar UEFI-level bypasses, and the same techniques could be adopted by nation-state actors or advanced persistent threats. Framework has acknowledged the issue and is working on remediation, with fixes planned for affected models such as the Framework 13 (11th and 12th Gen Intel). The discovery underscores the broader risk of trusted, signed components containing powerful functionality that can be misused, and the need for rigorous review of firmware-level tools included in shipping devices. The vulnerability demonstrates that even systems marketed as secure and repairable can harbor critical flaws if diagnostic utilities are not properly restricted. The incident serves as a warning to hardware manufacturers and the security community about the dangers of trusted but overly permissive firmware components. Eclypsium's findings have prompted a reassessment of trust models in firmware security, emphasizing the importance of minimizing attack surfaces in pre-boot environments. The case also illustrates how attackers are increasingly targeting lower layers of the computing stack to achieve persistence and evade detection. Framework's response and the ongoing remediation efforts will be closely watched by the industry as a test case for responsible disclosure and mitigation of firmware-level threats.
Mar 21, 2026
Boot-Level Flaws Expose Secure Boot Bypass on PCs and Unpatchable Exploit on Apple Chips
Researchers disclosed two separate boot-chain security issues that undermine trusted startup protections on major platforms. CERT/CC warned that outdated Microsoft-signed UEFI **shim** bootloaders—especially `shim` version `0.9` and earlier, including forked or unpatched builds used by vendors such as Red Hat Enterprise Linux, CentOS, Oracle, OpenSUSE, and WhiteCanyon—can be abused to bypass **Secure Boot** and run arbitrary code before the operating system loads. Because the attack executes in the early boot phase, it can evade EDR visibility and establish persistent compromise; Microsoft is responding by expanding the UEFI Forbidden Signature Database (**DBX**) to revoke vulnerable bootloaders, while administrators have been urged to update signature databases first and test carefully to avoid leaving systems unbootable. Paradigm Shift also disclosed an **unpatchable BootROM flaw** in Apple `A12` and `A13` chips and released a proof-of-concept exploit, `usbliter8`, showing that affected devices from the iPhone XS through the iPhone 11 line can be compromised during startup. The bug stems from USB controller behavior in SecureROM that allows unauthorized memory writes via crafted packets, enabling temporary reduction of security settings, booting of unsigned software, and the familiar `PWND` USB serial marker after exploitation. Apple was notified before publication, but because the weakness is embedded in silicon, software updates cannot fully eliminate the risk for affected devices over their operational lifetime.
Jun 18, 2026
BlackLotus UEFI Bootkit Bypasses Secure Boot and Survives on Patched Windows Systems
Researchers reported that **BlackLotus** is the first known in-the-wild UEFI bootkit able to bypass **UEFI Secure Boot** on fully updated Windows 11 and other UEFI systems. The malware abuses weaknesses tied to `CVE-2022-21894` and later `CVE-2023-24932`, allowing it to execute in the earliest software stage of boot, establish persistence across restarts, and evade normal remediation. ESET said BlackLotus had been advertised on underground forums since at least October 2022 and documented real-world samples that install a kernel driver and a user-mode payload, with follow-on capability for HTTP-based command-and-control and additional payload delivery.
Jun 8, 2026