BlackLotus UEFI Bootkit Bypasses Secure Boot and Survives on Patched Windows Systems
Researchers reported that BlackLotus is the first known in-the-wild UEFI bootkit able to bypass UEFI Secure Boot on fully updated Windows 11 and other UEFI systems. The malware abuses weaknesses tied to CVE-2022-21894 and later CVE-2023-24932, allowing it to execute in the earliest software stage of boot, establish persistence across restarts, and evade normal remediation. ESET said BlackLotus had been advertised on underground forums since at least October 2022 and documented real-world samples that install a kernel driver and a user-mode payload, with follow-on capability for HTTP-based command-and-control and additional payload delivery.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft issues guidance for CVE-2023-24932 Secure Boot revocations
Microsoft published support guidance for managing Windows Boot Manager revocations tied to Secure Boot changes associated with CVE-2023-24932, documenting how administrators should handle the mitigation.
LOLDrivers adds BlackLotus driver entry
On 2026-05-20, LOLDrivers published an entry for blacklotus_driver.sys with sample hashes, service creation details, and detection resources for the malicious driver component associated with BlackLotus.
NSA releases BlackLotus defense guidance
On 2023-06-22, the U.S. NSA released guidance on defending against BlackLotus, warning that patching alone may not fully mitigate the threat and recommending additional Secure Boot and endpoint hardening steps.
BlackLotus observed circulating in the wild
The bootkit was described as having circulated since October 2022 and was identified by ESET as a real threat seen in the wild, not just an advertised product.
Ars Technica reports on BlackLotus Secure Boot bypass
On 2023-03-06, Ars Technica reported on stealthy UEFI malware bypassing Secure Boot through a Windows flaw, amplifying public awareness of the BlackLotus threat.
ESET publishes BlackLotus bootkit research
On 2023-03-01, ESET published research analyzing BlackLotus and said it was the first known in-the-wild UEFI bootkit able to bypass UEFI Secure Boot on fully patched systems by abusing CVE-2022-21894.
BlackLotus advertised on underground forums
ESET reported that the BlackLotus UEFI bootkit had been advertised on underground forums for $5,000 since at least early October 2022, indicating the malware was available to buyers before public technical analysis appeared.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
8750b245-af35-4bc6-9af3-dc858f9db64f | LOLDrivers
loldrivers.io
Open sourceHow to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
support.microsoft.com
Open sourceHow to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
support.microsoft.com
Open sourceHow to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
support.microsoft.com
Open sourceNSA shares tips on blocking BlackLotus UEFI malware attacks
bleepingcomputer.com
Open sourceStealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw - Ars Technica
arstechnica.com
Open sourceBlackLotus bootkit can bypass Windows 11 Secure Boot: ESET | CSO Online
csoonline.com
Open sourceESET Research analyzes BlackLotus: A UEFI bootkit that can bypass UEFI Secure Boot on fully patched systems | | ESET
eset.com
Open sourceHow to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
support.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BootKitty Uses LogoFAIL to Install a Linux-Targeting UEFI Bootkit
Researchers previously disclosed **LogoFAIL**, a broad set of UEFI image-parsing flaws that can let attackers execute code during the DXE boot phase by abusing OEM logo customization paths. The vulnerabilities affect parsers for formats including BMP, GIF, PNG, JPEG, PCX, and TGA, and can be triggered from attacker-controlled sources such as the EFI System Partition, firmware update volumes, or NVRAM. Binarly reported 29 root causes, including 15 likely exploitable issues, and demonstrated arbitrary code execution on a Lenovo ThinkCentre M70s Gen 2 via an AMI PNG parser flaw. The weaknesses can bypass protections such as **Secure Boot**, Intel Boot Guard, AMD hardware-validated boot, and ARM TrustZone-based verification, with impact spanning firmware from major BIOS and device vendors. Subsequent reporting said the **BootKitty** malware family exploited LogoFAIL to infect **Linux** systems, marking a notable evolution from a theoretical firmware weakness into active bootkit tradecraft. Coverage described the attack path as exceptionally difficult to detect or remove because it operates in UEFI before the operating system loads, allowing persistence below traditional endpoint defenses. The case also undercut assumptions that Linux systems are insulated from modern UEFI bootkits, showing that firmware-level compromise can survive OS reinstallations and evade both software- and hardware-based security controls.
May 25, 2026
Secure Boot Bypass Vulnerability in Framework Linux Laptops via Signed UEFI Shells
Researchers from Eclypsium discovered that nearly 200,000 Linux-based Framework laptops and desktops were shipped with signed UEFI shell components containing a powerful 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections. The mm command, intended for low-level diagnostics and firmware debugging, provides direct read and write access to system memory, including critical security variables such as gSecurity2. By abusing this command, an attacker can overwrite the gSecurity2 variable with NULL, effectively disabling signature verification for all subsequent UEFI module loads and breaking the Secure Boot trust chain. This vulnerability allows attackers to load bootkits such as BlackLotus, HybridPetya, and Bootkitty, which can evade operating system-level security controls and persist even after OS reinstallation. The attack can be automated using startup scripts, ensuring persistence across reboots. The issue is not the result of a supply chain compromise or malicious intent, but rather an oversight in the inclusion of diagnostic tools signed with trusted certificates. Eclypsium's research highlights that these signed UEFI shells, while legitimate, function as backdoors that undermine the security model of Secure Boot. The presence of such tools in production devices exposes users to significant risk, as attackers can leverage them for pre-OS infections, espionage, sabotage, or ransomware attacks. The gaming industry has already seen commercial cheat providers exploiting similar UEFI-level bypasses, and the same techniques could be adopted by nation-state actors or advanced persistent threats. Framework has acknowledged the issue and is working on remediation, with fixes planned for affected models such as the Framework 13 (11th and 12th Gen Intel). The discovery underscores the broader risk of trusted, signed components containing powerful functionality that can be misused, and the need for rigorous review of firmware-level tools included in shipping devices. The vulnerability demonstrates that even systems marketed as secure and repairable can harbor critical flaws if diagnostic utilities are not properly restricted. The incident serves as a warning to hardware manufacturers and the security community about the dangers of trusted but overly permissive firmware components. Eclypsium's findings have prompted a reassessment of trust models in firmware security, emphasizing the importance of minimizing attack surfaces in pre-boot environments. The case also illustrates how attackers are increasingly targeting lower layers of the computing stack to achieve persistence and evade detection. Framework's response and the ongoing remediation efforts will be closely watched by the industry as a test case for responsible disclosure and mitigation of firmware-level threats.
Mar 21, 2026
CISA and NSA Guidance on Managing UEFI Secure Boot to Counter Bootkit Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), has released new guidance urging enterprises to verify and actively manage UEFI Secure Boot configurations to defend against persistent bootkit threats. The guidance, published as a Cybersecurity Information Sheet, highlights the risks posed by vulnerabilities such as PKFail, BlackLotus (CVE-2023-24932), and BootHole, which have enabled attackers to bypass Secure Boot protections through misconfigurations, outdated certificates, or the use of test keys. The agencies emphasize that default or neglected Secure Boot settings leave organizations exposed to firmware-level malware that can evade traditional security controls, and recommend routine audits and validation of Secure Boot variables using tools provided by the NSA. The guidance also addresses operational challenges, noting that many enterprises still rely on outdated 2011 Microsoft certificates or have Secure Boot disabled, making them susceptible to both known and emerging threats. Additional real-world examples, such as the HybridPetya ransomware and the Bombshell UEFI shell, underscore the urgency of moving firmware security to the forefront of enterprise cybersecurity policy. Administrators are advised to confirm Secure Boot enforcement, export and analyze configuration variables, and ensure only trusted certificates and hashes are present, thereby strengthening the root of trust and mitigating supply chain and boot-time attack risks.
Mar 21, 2026