Red Alert for Windows 11: Bootkit bypasses UEFI Secure Boot


Share post

According to ESET, even the new Windows 11 with its UEFI Secure Boot security system is not safe from the "BlackLotus" boot kit. The bootkit is already active in the wild and is also actively offered in hacker forums.​​​​​​​

Red alert for Windows users: ESET researchers have identified a bootkit that is able to bypass key security features of UEFI Secure Boot - a security system in Windows. Even a completely up-to-date Windows 11 system with activated Secure Boot does not pose a problem for the malicious program. Based on the functionality of the boot kit and its individual characteristics, the experts at the European IT security manufacturer assume that the threat known as BlackLotus is involved . The UEFI boot kit has been sold for $2022 on hacker forums since October 5.000.


Also updated Windows 11 not sure

“We received the first clues from hits in our telemetry at the end of 2022. These turned out to be a component of BlackLotus – an HTTP downloader. After an initial analysis, we found six BlackLotus installers found code patterns in the samples. This allowed us to examine the entire execution chain and see that we are not just dealing with regular malware here,” says Martin Smolár, the ESET researcher who led the bootkit investigation.

Vulnerability is exploited

BlackLotus exploits a vulnerability (CVE-2022-21894) that is more than a year old to bypass UEFI Secure Boot and permanently implant itself in the computer. This is the first known exploit of this vulnerability in the wild. Although the vulnerability was fixed with the Microsoft January 2022 update, its abuse is still possible. This is because the affected, validly signed binaries have still not been added to the UEFI block list. BlackLotus exploits this by bringing its own copies of legitimate - but more vulnerable - binaries onto the system.


Wide range of possibilities

BlackLotus is able to disable operating system security mechanisms such as BitLocker, HVCI and Windows Defender. Once installed, the malware's main goal is to install a kernel driver (which it protects from removal, among other things) and an HTTP downloader. The latter is responsible for communicating with the command and control server and can load additional payloads for user mode or kernel mode. Interestingly, some BlackLotus installers do not proceed with the bootkit installation if the compromised machine uses locales from Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.

BlackLotus has been promoted and sold on underground forums since at least early October 2022. "We have evidence that the boot kit is genuine and that the advertisement for it is not a scam," says Smolár. "The small number of BlackLotus samples we've received from both public sources and our telemetry leads us to suspect that not many hackers have started using it yet. We fear that this will change quickly should this bootkit find its way into the hands of crimeware groups. Because it is easy to distribute and can be spread by these groups via botnets, for example.”

What is a boot kit?

UEFI bootkits are very powerful threats to any computer. Once they gain full control over the operating system boot process, they can disable various operating system security mechanisms and inject their own kernel- or user-mode malicious programs in the early stages of boot. As a result, they operate in secret and with high privileges. To date, only a few boot kits have been discovered in the wild and publicly described. Compared to firmware implants — like LoJax, the first UEFI firmware implant in the wild and discovered by ESET in 2018 — UEFI bootkits can lose their stealth as bootkits reside on an easily accessible FAT32 hard drive partition. However, when run as a bootloader, they have almost the same capabilities without having to overcome multiple layers of security that protect against firmware implants. “The best tip is to keep the system and its security solution up to date. This increases the chance that a potential threat will be stopped early on, before it infiltrates the operating system,” concludes Smolár.

What is UEFI?

UEFI stands for "Unified Extensible Firmware Interface" and describes the firmware of the mainboard. This in turn forms the interface between hardware and software during the boot process. An essential function of the UEFI is that the computer can start up in Secure Boot. This is to prevent malware from getting onto the device. That's why bypassing this security feature is so dangerous.

More at


About ESET

ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit or follow us on LinkedIn, Facebook and Twitter.


Matching articles on the topic

FBI vs. Qakbot network: smashed or just paralyzed?

On August 29, 2023, the US FBI announced that it had dismantled the multinational cyber hacking and ransomware operation Qakbot, or Qbot ➡ Read more

Use data and AI to thwart phishing attacks

A new product uses insights from more than 10 million trained users worldwide to identify, block and ➡ Read more

Zero Trust: Endpoint agents as a VPN replacement

Enterprises can now take full advantage of the benefits of a zero trust architecture while dramatically simplifying network design. New endpoint agents for ➡ Read more

Security standards for payment transactions

The Payment Security Report 2023 coincides with the impending deadline for the introduction of the Payment Card Industry Data Security Standard ➡ Read more

Basics of Effective Security Operations (SecOps)

The ongoing threat of cyber attacks continues to pose major challenges for companies. Many are now using SecOps ➡ Read more

SASE: Secure Access Service Edge

As corporate networks grow, so do security requirements. It is no longer enough to have security barriers in the central area ➡ Read more

Web 3.0 offers new attack surfaces

The emergence of Web 3.0 came at a time when the world was changing fundamentally. At a time in ➡ Read more

SASE solutions to combat staff shortages in IT

The German IT sector suffers from a shortage of personnel and is chronically understaffed. According to Bitkom, around 137.000 were missing in Germany last year ➡ Read more