UEFI Rootkit
What is UEFI Rootkit?
UEFI RootkitA rootkit implanted in UEFI firmware that loads before the OS, persists across disk wipes, and bypasses most endpoint security.
A UEFI rootkit lodges itself in the Unified Extensible Firmware Interface — the modern replacement for BIOS — typically in SPI flash modules or boot drivers. It runs before the operating system, so it can disable security controls, modify boot components, and reload other malware after OS reinstalls. Such implants are usually deployed by well-resourced threat actors, often via kernel privileges, physical access, or supply-chain compromise. Defences include enforced Secure Boot, signed firmware updates, measured boot with TPM-based attestation, vendor integrity tools (e.g., CHIPSEC), Boot Guard, BIOS write-protect, and supply-chain integrity controls for firmware updates.
● Examples
- 01
LoJax, the first publicly known in-the-wild UEFI rootkit.
- 02
MoonBounce and BlackLotus UEFI bootkits targeting enterprises.
● Frequently asked questions
What is UEFI Rootkit?
A rootkit implanted in UEFI firmware that loads before the OS, persists across disk wipes, and bypasses most endpoint security. It belongs to the Malware category of cybersecurity.
What does UEFI Rootkit mean?
A rootkit implanted in UEFI firmware that loads before the OS, persists across disk wipes, and bypasses most endpoint security.
How do you defend against UEFI Rootkit?
Defences for UEFI Rootkit typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for UEFI Rootkit?
Common alternative names include: UEFI implant, EFI bootkit.