Most people believe that reinstalling the operating system is the nuclear option — the guaranteed way to wipe a compromised machine and start fresh. UEFI and BIOS malware shatters that assumption. Firmware-level implants live below the operating system, in the flash storage chips that contain the code your computer runs before Windows or Linux ever loads. Reinstalling the OS, replacing the hard drive, even swapping out RAM — none of it matters. The firmware persists.
This is not theoretical. Nation-state threat actors have deployed UEFI implants in real-world attacks, and the tooling to create them is becoming more accessible. Understanding how firmware malware works is no longer just for security researchers.
Understanding the UEFI Boot Process
UEFI (Unified Extensible Firmware Interface) replaced the older BIOS standard and is now the firmware interface on virtually every modern PC, server, and laptop. When you power on a machine, UEFI executes first — it initializes hardware, runs pre-boot checks, and then hands control to the bootloader (GRUB, Windows Boot Manager, etc.), which loads the OS.
This boot sequence creates a layered trust model. UEFI code is inherently trusted because it runs before any security software can load. If an attacker can write malicious code into UEFI flash storage, it executes in a privileged environment with no antivirus, no EDR, and no kernel-level protections in place.
How UEFI Malware Gets Installed
Physical Access
The most straightforward method is direct physical access to the machine. An attacker with physical access can use a flash programmer to rewrite the UEFI chip directly, bypassing all software protections. Intelligence agencies have used this technique, as revealed in the 2013 NSA ANT catalog leak, which described tools like DEITYBOUNCE and IRONCHEF designed to implant firmware on specific hardware platforms.
Software-Based Implanting
More dangerous for scale, some UEFI malware is installed purely through software. This requires:
- A vulnerability in the UEFI firmware itself — bugs in firmware parsing, SMM (System Management Mode) handling, or Secure Boot implementation
- An operating system-level exploit — the attacker first compromises the OS, then escalates to firmware-write privileges
Several real vulnerabilities have enabled this path. BootHole (CVE-2020-10713) was a buffer overflow in GRUB2 that could bypass Secure Boot. The LogoFAIL vulnerability (disclosed in 2023) allowed attackers to place malicious code in firmware logo image parsers — affecting hundreds of device models from multiple vendors.
Supply Chain Compromise
Attackers can also target the firmware update supply chain — compromising vendors’ build systems or update servers to distribute malicious firmware to end users who believe they are installing legitimate updates.
Notable Real-World UEFI Malware
LoJax (APT28)
Discovered in 2018 by ESET, LoJax was the first publicly documented UEFI rootkit used in a real attack campaign. It was deployed by APT28 (Fancy Bear / Sandworm), a Russian GRU-linked threat group. LoJax modified the UEFI firmware of targets in Central and Eastern Europe, dropping a Windows malware dropper that would reinstall itself after every OS reinstall. The implant survived full disk wipes.
MosaicRegressor (Winnti/APT41)
In 2020, Kaspersky reported MosaicRegressor, a UEFI implant linked to a Chinese-speaking threat actor. It was used to target NGOs and diplomatic entities, delivering a custom backdoor that persisted at the firmware level.
CosmicStrand
Also attributed to a Chinese-speaking threat actor and reported by Kaspersky in 2022, CosmicStrand was found in the UEFI firmware of consumer-grade Gigabyte and ASUS motherboards. The infection vector remains unknown, but the implant hooked the Windows kernel boot process to inject code into running processes.
BlackLotus
In 2023, BlackLotus became the first publicly known malware to bypass Windows 11’s Secure Boot on fully patched systems. It exploited CVE-2022-21894 (Baton Drop), a flaw in the Windows bootloader. BlackLotus was sold as a crimeware kit on underground forums for around $5,000, marking a significant democratization of bootkit capabilities.
Detection: Why It Is So Hard
Traditional antivirus and EDR tools operate within the operating system. UEFI malware executes before the OS loads, meaning it can:
- Patch itself back into memory after an OS-level removal attempt
- Disable security tools before they initialize
- Manipulate OS kernel structures from a position of higher privilege
Detection approaches include:
- Firmware integrity scanning: Tools like Chipsec (open-source) can dump and analyze UEFI firmware, comparing it against known-good baselines
- UEFI Secure Boot: When properly configured and using uncompromised keys, Secure Boot prevents unsigned firmware modules from executing
- TPM-based attestation: A Trusted Platform Module (TPM) can record measurements of the boot process, allowing remote attestation to verify firmware integrity
- Vendor detection tools: Some motherboard vendors and security firms (ESET, Kaspersky) have released firmware scanners for specific threat families
How to Protect Against UEFI Malware
| Defense | Description |
|---|---|
| Enable Secure Boot | Prevents unsigned bootloaders and UEFI modules from running |
| Keep firmware updated | Vendors regularly patch UEFI vulnerabilities; update via official channels only |
| Enable BIOS/UEFI password | Prevents unauthorized changes to firmware settings |
| Use Measured Boot with TPM | Records boot sequence measurements for integrity verification |
| Restrict physical access | Physical access to hardware is game over for firmware security |
| Monitor for BootHole/LogoFAIL-class CVEs | Patch firmware-level vulnerabilities promptly |
| Use enterprise firmware monitoring | Solutions like HP Sure Start, Dell SafeBIOS provide hardware-level integrity |
The Bigger Picture
UEFI malware represents the cutting edge of attacker persistence. It requires significant resources to develop and deploy, which is why it has historically been the domain of nation-state actors. However, the sale of BlackLotus as a commercial kit and the publication of Proof-of-Concept code for vulnerabilities like LogoFAIL suggest that the barrier to entry is falling.
For most organizations, the immediate priority is hygiene: keep firmware updated, enable Secure Boot, restrict physical access, and have a process for monitoring firmware-level CVEs. For high-value targets — governments, critical infrastructure, defense contractors — firmware integrity monitoring is no longer optional.
The threat that survives reinstalls demands defenses that go below the OS.