Bootkit
What is Bootkit?
BootkitMalware that infects the boot process — MBR, VBR, or UEFI — to load before the operating system and obtain persistent, privileged control.
A bootkit is a specialized rootkit that compromises early boot components such as the Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware. Because it executes before the OS and security tools, it can disable defences, hook kernel code, and survive OS reinstalls. Modern bootkits target UEFI variables and the EFI System Partition. Detection requires firmware integrity checks, measured/Secure Boot with TPM attestation, and offline forensic imaging of boot media. Mitigations include enabling UEFI Secure Boot with current revocation lists, BIOS/firmware passwords, disabling legacy CSM boot, and full-disk encryption to detect tampering with the boot chain.
● Examples
- 01
BlackLotus, a UEFI bootkit able to bypass Secure Boot on patched systems.
- 02
MoonBounce, an APT-grade UEFI firmware implant.
● Frequently asked questions
What is Bootkit?
Malware that infects the boot process — MBR, VBR, or UEFI — to load before the operating system and obtain persistent, privileged control. It belongs to the Malware category of cybersecurity.
What does Bootkit mean?
Malware that infects the boot process — MBR, VBR, or UEFI — to load before the operating system and obtain persistent, privileged control.
How do you defend against Bootkit?
Defences for Bootkit typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Bootkit?
Common alternative names include: Boot rootkit, MBR rootkit.