I Wiped My Hard Drive, But the Malware Stayed: Understanding Firmware Malware
Table of Contents
TL;DR
- Firmware malware lives in the UEFI firmware and survives a full OS wipe.
- The first UEFI bootkit, LoJax, was discovered in 2018 by ESET and was used by Fancy Bear (APT28) ESET — LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group (2018).
- Black Lotus, a commercial bootkit sold for $5,000, bypasses Secure Boot, disables BitLocker, HVCI, and Defender, and includes geofencing that blocks installation in CIS countries SecurityWeek — New BlackLotus UEFI bootkit (2023).
- Moonbounce and TrickBoot show that firmware can survive updates, hide in SPI flash, and even brick devices Securelist — MoonBounce the dark side of UEFI firmware (2022) and Huntress — Rapid response: TrickBoot (2020).
- Mitigation requires firmware updates, Secure Boot revocation, TPM, Microsoft Defender UEFI scanning, and following vendor guidance.
Why this matters Firmware malware persists even after wiping the hard drive and reinstalling Windows because it runs before the operating system starts. Antivirus tools, which only see the OS, miss these attacks. Secure Boot can be bypassed by exploiting firmware vulnerabilities, and supply-chain attacks can compromise firmware before the device reaches the customer. This hidden layer of attack can silently exfiltrate data, disable security software, and give attackers persistent footholds that are hard to detect or remove.
Core concepts UEFI replaced BIOS on modern computers and is the interface that loads the OS. It boots the kernel, loads the EFI System Partition, and can load signed drivers. A bootkit writes malicious code into the UEFI image or into the SPI flash memory that holds the firmware. Because the firmware is loaded before any OS security is enabled, the malware can disable BitLocker, hypervisor-protected code integrity, and Windows Defender, and can persist across OS reinstalls and even hard-drive replacements.
- LoJax was the first confirmed UEFI firmware malware, discovered in 2018 by ESET researchers and later found in government systems in Eastern Europe ESET — What you need to know about LoJax—the new stealthy malware from Fancy Bear (2018).
- Cosmic Strand infects consumer-grade Gigabyte and ASUS motherboards since 2016, hiding in the firmware image and exploiting a flaw in the H81 chipset Securelist — CosmicStrand UEFI firmware rootkit (2022).
- Moonbounce lives in the SPI flash memory on motherboards and can survive firmware updates, making it difficult to remove Securelist — MoonBounce the dark side of UEFI firmware (2022).
- TrickBoot can read, write, and erase UEFI firmware, allowing attackers to plant rootkits and even brick devices Huntress — Rapid response: TrickBoot (2020).
- Black Lotus is a commercial bootkit sold for $5,000 per license. It bypasses Secure Boot via CVE-2022-21894, disables BitLocker, HVCI, and Defender, and uses geofencing to avoid CIS countries SecurityWeek — New BlackLotus UEFI bootkit (2023) and its source code leaked to GitHub lowered the barrier to exploitation SecurityWeek — BlackLotus UEFI bootkit source code leaked on GitHub (2023).
| Parameter | Use Case | Limitation |
|---|---|---|
| UEFI firmware | Boots OS, can load signed drivers, persists across OS reinstalls. | Hard to detect without specialized tools. |
| BIOS | Legacy firmware; still present on older systems. | Less powerful, but still vulnerable to bootkits. |
| Secure Boot | Validates signatures before loading code, protects against bootkits. | Vulnerabilities can bypass; revocation updates lag; requires correct certificates. |
Detection and mitigation
- Microsoft released a UEFI scanner in Defender for Endpoint that checks the firmware filesystem for malicious code. It is available on Windows 10/11 and Server 2019+ Microsoft — Firmware (UEFI) scanning in Defender for Endpoint (2025).
- Secure Boot revocation lists (dbx) are updated monthly. Microsoft published a guide to manage revocations for the BlackLotus bypass (CVE-2022-21894) and other CVEs Microsoft — How to manage the Windows Boot Manager revocations for Secure Boot (2023).
- TPM 2.0 provides hardware-backed attestation and helps enforce Secure Boot. Enabling TPM is a prerequisite for Windows 11 and is recommended for all modern PCs Microsoft — Enable TPM 2.0 on your PC (2021).
- Intel Boot Guard offers a separate chain of trust that verifies firmware before the OS loads. It can help prevent unauthorized firmware changes even if Secure Boot is bypassed Medium — Intel Bootguard handover to UEFI boot (2023).
- Vendor patching is essential. Microsoft patched CVE-2025-3052, a Secure Boot bypass that could be used to install bootkits. Other vendors have similar updates for CVE-2025-4275 and CVE-2025-47827. The most recent secure-boot patches are listed in SentinelOne’s vulnerability database SentinelOne — CVE-2025-4275: Secure Boot Bypass Vulnerability (2025) and SentinelOne — CVE-2025-47827: Secure Boot Bypass Vulnerability (2025).
- The NSA issued a formal mitigation guide for Black Lotus in June 2023, emphasizing that patches alone are insufficient and recommending hardening steps NSA — BlackLotus Mitigation Guide (2023).
Pitfalls & edge cases
- Some firmware updates can overwrite malware, but others may preserve it, especially if the update does not rewrite the entire SPI flash or if the bootloader remains vulnerable. Black Lotus can survive a firmware update on fully patched Windows 11 systems Microsoft — Guidance for investigating attacks using CVE-2022-21894 (2023).
- Supply-chain attacks are difficult to detect because the malware is introduced before the device reaches the customer. The DHS/Commerce report highlights the risk of pre-manufactured firmware compromise Redballoon Security — DHS and Commerce report on firmware security (2022).
- Geofencing in Black Lotus prevents installation in CIS countries but also complicates legitimate use for users in those regions. The geofencing feature was designed to avoid detection by law enforcement but also to reduce risk of being caught in targeted jurisdictions SecurityWeek — New BlackLotus UEFI bootkit (2023).
Quick FAQ
Q: How widespread is Cosmic Strand infection in consumer devices worldwide?
A: The Securelist report indicates that Cosmic Strand was active silently since the end of 2016 and was found on a range of Gigabyte and ASUS motherboards, though exact prevalence is unknown.
Q: What method did Cosmic Strand use to compromise firmware before distribution?
A: The rootkit was embedded in the firmware image of motherboards that used the H81 chipset, exploiting a flaw that allowed unauthorized code injection.
Q: How effective are current firmware update mechanisms in removing rootkits like Black Lotus and Moonbounce?
A: Firmware updates can remove malware if they rewrite the entire SPI flash or update the bootloader, but some updates only patch specific modules, allowing rootkits to survive.
Q: What detection methods exist for firmware-level malware without specialized tools?
A: Microsoft Defender’s UEFI scanner, Secure Boot revocation lists, TPM attestation, and vendor-supplied firmware integrity checks are the primary methods.
Q: What practical steps can organizations take to secure firmware against future attacks?
A: Keep firmware up to date, enable Secure Boot and TPM, use Microsoft Defender UEFI scanning, monitor for revocation updates, and implement secure-boot revocation management.
Q: How does Black Lotus’ geofencing mechanism prevent installation in specific countries?
A: It checks the device’s geographic location during installation and aborts if the machine is located in Russia, Belarus, Kazakhstan, Armenia, Moldova, Romania, or Ukraine.
Q: Are there hardware components that can be upgraded or replaced to mitigate firmware-level attacks?
A: Replacing motherboards with ones that support Intel Boot Guard or TPM, and using vendor-supplied signed firmware updates, can reduce risk.
Conclusion Firmware malware is a stealthy, persistent threat that can survive OS reinstall, bypass Secure Boot, and disable critical security features. The best defense is a layered approach: keep firmware updated, enforce Secure Boot and TPM, use Microsoft Defender’s UEFI scanner, monitor for revocation updates, and follow vendor guidance. System administrators should treat firmware as a first-line defense, not an afterthought. Only by securing the lowest level of the boot chain can we stop attackers from staying hidden in the firmware.
References
- ESET — LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group (2018): https://www.eset.com/me/uefi-rootkit-cyber-attack-discovered/
- ESET — What you need to know about LoJax—the new stealthy malware from Fancy Bear (2018): https://www.eset.com/us/about/newsroom/corporate-blog/what-you-need-to-know-about-lojax-the-new-stealthy-malware-from-fancy-bear/
- Securelist — CosmicStrand UEFI firmware rootkit (2022): https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
- Securelist — MoonBounce the dark side of UEFI firmware (2022): https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
- Huntress — Rapid response: TrickBoot (2020): https://www.huntress.com/blog/rapid-response-trickboot
- Microsoft — Firmware (UEFI) scanning in Defender for Endpoint (2025): https://learn.microsoft.com/en-us/defender-endpoint/uefi-scanning-in-defender-for-endpoint
- Microsoft — How to manage the Windows Boot Manager revocations for Secure Boot (2023): https://support.microsoft.com/en-au/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
- Microsoft — Enable TPM 2.0 on your PC (2021): https://support.microsoft.com/en-us/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c
- Medium — Intel Bootguard handover to UEFI boot (2023): https://medium.com/@sekyourityblog/intel-bootguard-handover-to-uefi-boot-96b502740efd
- SentinelOne — CVE-2025-4275: Secure Boot Bypass Vulnerability (2025): https://www.sentinelone.com/vulnerability-database/cve-2025-4275/
- SentinelOne — CVE-2025-47827: Secure Boot Bypass Vulnerability (2025): https://www.sentinelone.com/vulnerability-database/cve-2025-47827/
- NSA — BlackLotus Mitigation Guide (2023): https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3435305/nsa-releases-guide-to-mitigate-blacklotus-threat/
- Redballoon Security — DHS and Commerce report on firmware security (2022): https://redballoonsecurity.com/dhs-department-of-commerce-get-it-right-firmware-security-is-overlooked-and-a-genuine-cybersecurity-risk/
- Crowdfense — Windows AppLocker Driver LPE Vulnerability (2024): https://www.crowdfense.com/windows-applocker-driver-lpe-vulnerability-cve-2024-21338/
- Ars Technica — Secure Boot bypass vulnerability CVE-2025-3052 (2025): https://arstechnica.com/security/2025/06/unearthed-in-the-wild-2-secure-boot-exploits-microsoft-patches-only-1-of-them/
- SecurityWeek — New BlackLotus UEFI bootkit (2023): https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-level-capabilities-cybercriminals/
- SecurityWeek — BlackLotus UEFI bootkit source code leaked on GitHub (2023): https://www.securityweek.com/blacklotus-uefi-bootkit-source-code-leaked-on-github/
- Microsoft — Guidance for investigating attacks using CVE-2022-21894 (2023): https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
