BlackLotus
the first publicly documented UEFI bootkit to bypass Secure Boot on fully patched Windows 11 systems — identified in 2023, exploiting CVE-2022-21894 (BootHole descendant)
Survives reimaging
firmware implants persist through OS reinstallation, hard drive replacement, and standard incident response procedures — requiring hardware-level remediation
16%
of enterprise endpoints in a 2024 HP survey had UEFI firmware that was more than 2 versions behind current — each outdated version potentially contains unpatched firmware vulnerabilities
UEFI Secure Boot
cryptographically verifies the boot chain — but only if properly configured; disabled Secure Boot, revoked-but-not-enforced certificates, and shim exploits all undermine its protection

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Firmware is the software that initializes hardware before the operating system loads. UEFI (Unified Extensible Firmware Interface) is the modern firmware standard that replaced BIOS on most enterprise hardware manufactured after 2012. Firmware runs with higher privilege than the OS kernel — it executes before the OS, can modify OS behavior, and is not visible to OS-level security tools.

Firmware attacks create persistence at the most durable layer of the system stack. A firmware implant embedded in the UEFI firmware of a device survives: OS reinstallation, hard drive replacement, EDR agent reinstallation, and all standard incident response procedures short of firmware reflashing. Nation-state actors have demonstrated firmware persistence (CosmicStrand, MoonBounce in the wild; BlackLotus sold commercially). While firmware attacks remain relatively rare — they require significant technical sophistication — the hardening controls are within reach of enterprise security teams.

How UEFI attacks work: the attack chain

Understanding the UEFI attack chain clarifies what Secure Boot protects and what additional controls are needed.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Enterprise firmware hardening controls

These controls reduce firmware attack surface and improve detection capability. Most can be implemented through enterprise management tooling without physical hardware access.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detecting firmware compromise

Firmware implants are designed to be undetectable from within the OS. Detection requires either pre-boot measurement or hardware-level inspection.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Firmware attacks represent the most persistent category of endpoint compromise — they survive the incident response procedures designed to eradicate OS-level threats. Enterprise hardening focuses on: keeping Secure Boot enabled and its revocation database current, treating firmware updates with the same urgency as OS patches, configuring TPM-based attestation for boot chain integrity monitoring, and deploying OEM firmware integrity tools where available. The reality for most enterprises: firmware attacks by sophisticated threat actors remain rare, but the hardening controls are standard security hygiene that should be implemented regardless — they protect against both targeted attacks and commodity tools that have incorporated bootkit capabilities.

Frequently asked questions

How is BlackLotus different from previous UEFI bootkits?

Previous UEFI bootkits required either physical access, a vulnerable firmware version, or disabling Secure Boot to install. BlackLotus (identified 2023) was the first publicly documented bootkit to bypass Secure Boot on fully patched Windows 11 systems by exploiting a vulnerability in the Windows Boot Manager shim that had been patched but not revoked in Secure Boot's revocation database (dbx). The distinction: Secure Boot was enabled and functioning, but because the vulnerable bootloader was still in the allowlist (not revoked), BlackLotus could install a malicious version of the vulnerable component and have it pass Secure Boot verification. Microsoft subsequently issued dbx updates to revoke the vulnerable bootloader hashes — but only systems with current dbx databases are protected.

Can EDR detect firmware implants?

EDR tools operating at the OS level cannot directly detect firmware implants because firmware executes before the OS and EDR agent load. EDR can detect behavioral indicators: unusual early-boot drivers, suspicious boot configuration modifications, or changes to Secure Boot settings. Microsoft Defender for Endpoint integrates with Windows Measured Boot and TPM attestation to detect boot-chain tampering. OEM-specific firmware integrity tools (Dell SafeBIOS, HP Sure Start) provide firmware-level detection that EDR cannot. For comprehensive firmware threat detection: combine EDR behavioral monitoring, OEM firmware integrity tools, and TPM attestation-based device compliance policies.

Does replacing the hard drive remove a firmware implant?

No — firmware implants persist in the device's UEFI firmware, which is stored in an SPI flash chip on the motherboard, separate from the hard drive or SSD. Replacing the hard drive, reinstalling the OS, or reformatting removes OS-level and disk-resident malware but does not affect firmware implants. Remediation of confirmed firmware compromise requires: reflashing the UEFI firmware with a clean OEM-provided image (using OEM tools or hardware flash programmers), verifying the reflash with TPM attestation, and in cases of suspected hardware-level implants (state-actor implants in hardware components), hardware replacement may be the only assured remediation.

Sources & references

  1. NIST SP 800-147: BIOS Protection Guidelines
  2. UEFI Forum Security Resources
  3. Microsoft Secure Boot documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.