BlackLotus
BlackLotus is a UEFI bootkit for Windows, widely described as the first publicly known in-the-wild bootkit capable of bypassing UEFI Secure Boot on fully updated UEFI systems, including fully patched Windows 11 hosts. It emerged on hacking forums in 2022 and was advertised for about $5,000; ESET reported the first real-world deployment in March 2023 and assessed it as a real bootkit rather than a scam. Multiple sources describe it as malware-as-a-service or commercially sold crimeware.
Its core technique is abuse of CVE-2022-21894 ("Baton Drop") to bypass Secure Boot by bringing its own copies of legitimate but vulnerable Microsoft-signed boot components that had not yet been added to the UEFI DBX revocation list. Some reporting also notes use of downgrade techniques to replace the Windows boot manager with a vulnerable version. This allowed BlackLotus to establish persistence in the EFI System Partition and execute on every boot, even on systems with Secure Boot enabled and current OS patches but outdated revocation data. Microsoft later revoked vulnerable bootloaders through DBX updates, including guidance and mitigations tied to CVE-2023-24932 and KB5025885.
After installation, BlackLotus writes files to the EFI System Partition, disables protections such as BitLocker, Hypervisor-Protected Code Integrity (HVCI/Memory Integrity), and Microsoft Defender/Windows Defender, then reboots the host to implant the bootkit. Once persistence is configured, it runs at every startup, deploys a kernel driver, and launches a final user-mode HTTP downloader. The downloader communicates with command-and-control infrastructure over HTTPS and can receive commands, download and execute additional payloads including kernel drivers, DLLs, and executables, fetch bootkit updates, and uninstall itself. The bootkit’s stated goal in several sources is to deploy a kernel driver and final user-mode component while protecting itself from removal.
BlackLotus is associated with Windows 10 and Windows 11 targets. It is repeatedly cited by ESET, NSA, Microsoft-related guidance, and Splunk analytic content as a major example of modern boot-level malware and Secure Boot bypass activity. NSA guidance states that patching alone may not fully mitigate the threat unless revocations and additional hardening steps are applied. Reported anti-analysis or operator tradecraft includes geofencing logic that avoids infecting systems configured for Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, Ukraine, and other nearby post-Soviet/Eastern European locales depending on the source.
High-confidence indicators and artifacts directly mentioned in the content include the driver blacklotus_driver.sys and sample hashes such as SHA256 749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c and f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae; SHA1 17fa047c1f979b180644906fe9265f21af5b0509, 1f3799fed3cf43254fe30dcdfdb8dc02d82e662b, 4B882748FAF2C6C360884C6812DD5BCBCE75EBFF, 91F832F46E4C38ECC9335460D46F6F71352CFFED, 994DC79255AEB662A672A1814280DE73D405617A, and FFF4F28287677CAABC60C8AB36786C370226588D; and MD5 4ad8fd9e83d7200bd7f8d0d4a9abfb11 and a42249a046182aaaf3a7a7db98bfa69d. One cited service creation example uses sc.exe to create and start the kernel driver from C:\windows\temp\blacklotus_driver.sys.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Через такой вектор можно развернуть полноценные UEFI-буткиты - BlackLotus или Bootkitty - даже при включённом Secure Boot. | CVE-2024-7344, обнаруженная исследователем ESET Martin Smolár, затрагивает UEFI-приложение Reloader - компонент нескольких утилит восстановления: Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, CES NeoImpact. По данным ESET, также затронуты WASAY eRecoveryRX и SignalComputer HDD King.
В марте 2023-го ESET зафиксировала первое развёртывание BlackLotus в реальных атаках. UEFI-буткит, который продавали на криминальных форумах примерно за $5 000... обходил Secure Boot на Windows 11 с актуальным OS-патчем, но устаревшим dbx - через CVE-2022-21894. | BlackLotus обходил Secure Boot на Windows 11 с актуальным OS-патчем, но устаревшим dbx - через CVE-2022-21894... Microsoft отозвала уязвимые загрузчики через dbx только в мае 2023 (KB5025885).
BlackLotus is a UEFI bootkit that emerged on hacking forums in 2022 and was confirmed in the wild by researchers in early 2023. It exploited CVE-2022-21894, nicknamed “Baton Drop,” to bypass Secure Boot on fully patched Windows systems. | Microsoft addressed the underlying flaw in CVE-2023-24932, but fixing vulnerable boot managers safely is complicated. Revoking the wrong boot components can leave systems unbootable, which is why Microsoft has rolled out protections gradually over several years.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Persistence
6 techniques
Persistence
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Once the persistence is configured, the BlackLotus bootkit is executed on every system start.
CVE-2026-50507 is a BitLocker bypass requiring physical access... Ten Secure Boot patches this month carry what CVSS calls “scope change,” meaning exploitation pushes past the vulnerable component into boot integrity, Virtual Secure Mode, and pre-OS execution.
Security researchers from Binarly and ESET have uncovered “Bootkitty,” the first-ever UEFI bootkit designed to target Linux systems.
По MITRE ATT&CK это Bootkit (T1542.003) и System Firmware (T1542.001) - persistence и stealth на финальных этапах цепочки.
Privilege Escalation
5 techniques
Privilege Escalation
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Once the persistence is configured, the BlackLotus bootkit is executed on every system start.
BlackLotus takes advantage of a vulnerability that has been present for over a year (known as CVE-2022-21894) to bypass UEFI Secure Boot and establish persistence for the bootkit.
“can use WTSQueryUserToken and CreateProcessAsUserW to execute downloaded payloads… with local system privileges.”
Stealth
9 techniques
Stealth
The bootkits goal is to deploy a kernel driver and a final user-mode component.
“installer registers itself to be deleted… after… exploitation… removes traces… by deleting all files included in exploitation chain…”
“can use WTSQueryUserToken and CreateProcessAsUserW to execute downloaded payloads… with local system privileges.”
Earlier this year, security researchers explained how BlackLotus was taking advantage of this, 'bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.'
BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability...
Certain BlackLotus installation packages, as analyzed by ESET, refrain from carrying out the installation of the bootkit in case the affected host employs regional settings associated with Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.
CVE-2026-50507 is a BitLocker bypass requiring physical access... Ten Secure Boot patches this month carry what CVSS calls “scope change,” meaning exploitation pushes past the vulnerable component into boot integrity, Virtual Secure Mode, and pre-OS execution.
Defense Impairment
4 techniques
Defense Impairment
Discovery
3 techniques
Discovery
“checks the internet connection by querying… www.msftncsi[.]com/ncsi[.]txt”
Command and Control
4 techniques
Command and Control
It also deploys an HTTP downloader that enables communication with the Command and Control server and has the ability to load further user-mode or kernel-mode payloads.
...an HTTP downloader that communicates with a command-and-control (C2) server to retrieve additional user-mode or kernel-mode malware... the latter is capable of executing commands received from the C2 server over HTTPS.
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BlackLotus is referenced in the context of Secure Boot and pre-OS execution research, indicating a bootkit/rootkit associated with bypassing boot integrity protections and enabling execution before the operating system loads.
UEFI bootkit mentioned as deployable via a vulnerable signed bootloader to achieve pre-OS execution and persistence even when Secure Boot is enabled.
UEFI bootkit sold as MaaS that bypasses Secure Boot on Windows 11 by abusing outdated dbx revocation state and CVE-2022-21894, installs a persistent UEFI module in the EFI System Partition, survives OS reinstallation, and can disable Windows Defender, HVCI, and BitLocker.
A UEFI bootkit that bypasses Secure Boot and, once installed, can disable BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender before Windows fully loads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.