LoJax
LoJax is a UEFI firmware implant/rootkit and bootkit publicly reported in 2018 as the first known in-the-wild UEFI rootkit. It is described as a repurposed version of the legitimate LoJack anti-theft software and has been attributed to the Sednit threat group, also tracked as APT28 and Fancy Bear. The malware targets UEFI firmware stored in SPI flash, enabling highly persistent compromise that can survive operating system reinstallation and even hard-drive replacement. Public reporting also describes LoJax as using a hardware misconfiguration to infect victim UEFI firmware and as being installed remotely with tooling capable of reading and overwriting portions of firmware flash memory. The malware has been associated with use of the RWEverything utility during firmware access and modification. LoJax has been cited as a firmware implant that used an added DXE module which, on each boot, dropped an agent to disk, allowing reinfection and persistence across OS reinstalls. A specific host indicator mentioned in the content is modification of the Windows Registry BootExecute value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute from "autocheck autochk" to "autocheck autoche". LoJax is consistently referenced as a rare real-world SPI-flash/UEFI implant and as part of APT28’s persistence toolkit.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The first known case of a real-world attack targeting the UEFI came in 2018 with the discovery of malware dubbed LoJax. A repurposed version of legitimate anti-theft software known as LoJack, it was created by the Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear, and APT 28.
The first known case of a real-world attack targeting the UEFI came in 2018 with the discovery of malware dubbed LoJax. A repurposed version of legitimate anti-theft software known as LoJack, it was created by the Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear, and APT 28.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
7 techniques
Persistence
"LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ ..."
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
The malware was installed remotely using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.
Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect.
LoJax has modified the Registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute' ... in order to execute its payload during Windows startup.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
4 techniques
Privilege Escalation
"LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ ..."
LoJax has modified the Registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute' ... in order to execute its payload during Windows startup.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
4 techniques
Stealth
APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.
The malware was installed remotely using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.
Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect.
Defense Impairment
2 techniques
Defense Impairment
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A real-world UEFI bootkit discovered in 2018, repurposed from LoJack anti-theft software and installed remotely by overwriting parts of UEFI firmware flash memory.
UEFI-level implant/rootkit that adds a DXE module to firmware for persistence across OS reinstallation and disk replacement, dropping an agent to disk on each boot.
UEFI bootkit referenced as detectable by the Peacock UEFI attestation/monitoring framework; no additional details provided here.
UEFI firmware bootkit that persists by modifying the system’s SPI-stored firmware, allowing it to survive OS reinstallation and hard-drive replacement. It dumps the UEFI firmware, patches it with a malicious payload, and flashes it back to the SPI chip.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.