Security News > 2023 > June > Pirated Windows 10 ISOs install clipper malware via EFI partitions

Hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI partition to evade detection.
The EFI partition is a small system partition containing the bootloader and related files executed before the operating system's startup.
It is essential for UEFI-powered systems that replace the now-obsolete BIOS. There have been attacks utilizing modified EFI partitions to activate malware from outside the context of the OS and its defense tools, like in the case of BlackLotus.
The pirated Windows 10 ISOs discovered by researchers at Dr. Web merely use EFI as a safe storage space for the clipper components.
Since standard antivirus tools do not commonly scan the EFI partition, the malware can potentially bypass malware detections.
Exe is then launched, which injects the clipper malware DLL into the legitimate %WINDIR%System32Lsaiso.
News URL
Related news
- Windows 10 KB5055518 update fixes random text when printing (source)
- Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug (source)
- WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) (source)
- Windows 10 KB5055612 preview update fixes a GPU bug in WSL2 (source)
- Microsoft silently fixes Start menu bug affecting Windows 10 PCs (source)
- M365 apps on Windows 10 to get security fixes into 2028 (source)
- Microsoft will update Office apps on Windows 10 until 2028 (source)
- Windows 10 KB5058379 update fixes SgrmBroker errors in Event Viewer (source)
- Windows 10 KB5058379 update triggers BitLocker recovery on some devices (source)
- Microsoft confirms May Windows 10 updates trigger BitLocker recovery (source)