Malware

BootHole

BootHole is a Secure Boot bypass and bootloader exploitation threat associated with flaws in GRUB. The provided content states that BootHole vulnerabilities in GRUB allowed arbitrary code execution via malformed configuration files and, on older hardware, could overwhelm DBX memory. It is referenced alongside other bootkit and firmware-level threats such as PKFail and BlackLotus in UEFI Secure Boot guidance from NSA and CISA/NSA. The content characterizes BootHole as relevant to persistent firmware or boot-level malware risk when Secure Boot is outdated, misconfigured, disabled, or using incomplete DBX revocation lists. It affects systems relying on UEFI Secure Boot and GRUB-based boot chains, with enterprise environments specifically discussed as exposed when Secure Boot variables and revocation databases are not properly managed. No specific threat actor, industry targeting, or concrete IOC values are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

Dec 15, 2025

CISA Releases Guidance for Managing UEFI Secure Boot on Enterprise Devices

BootHole is a vulnerability in the GRUB bootloader that allows arbitrary code execution during boot by exploiting malformed configuration files, potentially bypassing Secure Boot protections.

eclypsium blogNews

Dec 15, 2025

How to Operationalize NSA Guidance on UEFI Secure Boot at Scale

BootHole is a vulnerability and associated malware technique that exploits flaws in bootloaders to bypass UEFI Secure Boot, enabling attackers to install persistent malware at the firmware level.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.