Security News > 2023 > March > BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11

A stealthy Unified Extensible Firmware Interface bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape.
"This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News.
UEFI bootkits are deployed in the system firmware and allow full control over the operating system boot process, thereby making it possible to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges.
BlackLotus, in a nutshell, exploits a security flaw tracked as CVE-2022-21894 to get around UEFI Secure Boot protections and set up persistence.
A successful exploitation of the flaw allows arbitrary code execution during early boot phases, permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled without having physical access to it, ESET said.
"It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled."
News URL
https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html
Related news
- Steam pulls game demo infecting Windows with info-stealing malware (source)
- Broadcom warns of authentication bypass in VMware Windows Tools (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware (source)
- Microsoft tests new Windows 11 tool to remotely fix boot crashes (source)
- Windows 11 quick machine recovery: Restoring devices with boot issues (source)
- New Windows 11 trick lets you bypass Microsoft Account requirement (source)
- Windows 11 Forces Microsoft Account Sign In & Removes Bypass Trick Option (source)
- WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-01-11 | CVE-2022-21894 | Unspecified vulnerability in Microsoft products Secure Boot Security Feature Bypass Vulnerability | 0.0 |