BootKitty
Bootkitty is a UEFI bootkit targeting Linux systems, specifically several Ubuntu versions, and is described in the provided content as the first publicly described UEFI bootkit for Linux. ESET identified it from a UEFI application uploaded to VirusTotal in November 2024 and assessed it as likely a proof of concept rather than an operational threat, with no evidence of in-the-wild deployment at the time of analysis. Some reporting also notes it has been tracked as IranuKit.
Its stated capabilities include disabling Linux kernel signature verification, patching integrity-verification functions in memory, replacing the boot loader, patching the Linux kernel before execution, and preloading two unknown ELF binaries through the Linux init process. By executing before the operating system starts, it could give an attacker control of the affected machine. ESET also identified a potentially related unsigned kernel module, BCDropper, which drops an ELF program used to load another unknown kernel module.
The content consistently states that the observed Bootkitty EFI component was self-signed. ESET therefore reported that it cannot run on systems where UEFI Secure Boot is properly enabled and enforced. Some additional reporting in the content associates Bootkitty with exploitation of the LogoFAIL UEFI firmware vulnerability, CVE-2023-40238, via improper BMP parsing in the BmpDecoderDxe module. In that described chain, tampered BMP files such as logofail.bmp carry shellcode that injects rogue certificates into MokList to influence Secure Boot trust during early boot. However, the strongest common reporting across the content is that the analyzed sample itself was self-signed and not observed as an in-the-wild Secure Boot bypass.
Targeting described in the content is Linux, mainly Ubuntu and related distributions. Bootkitty is discussed alongside other UEFI bootkits such as BlackLotus as evidence that firmware-level bootkit activity is no longer limited to Windows. Reported detection and remediation details include that systems booted with Bootkitty showed the Linux kernel as tainted in ESET’s testing, and on systems with UEFI Secure Boot enabled, attempting to load an unsigned dummy kernel module at runtime may indicate compromise if the module loads successfully. If deployed as /EFI/ubuntu/grubx64.efi, remediation may involve restoring /EFI/ubuntu/grubx64-real.efi to /EFI/ubuntu/grubx64.efi. The content also recommends enabling Secure Boot and keeping firmware, operating systems, security software, and UEFI revocation lists up to date.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Через такой вектор можно развернуть полноценные UEFI-буткиты - BlackLotus или Bootkitty - даже при включённом Secure Boot. | CVE-2024-7344, обнаруженная исследователем ESET Martin Smolár, затрагивает UEFI-приложение Reloader - компонент нескольких утилит восстановления: Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, CES NeoImpact. По данным ESET, также затронуты WASAY eRecoveryRX и SignalComputer HDD King.
This new threat exploits the LogoFAIL vulnerability (CVE-2023-40238), a UEFI firmware flaw, to bypass Secure Boot protections and inject malicious payloads. | Security researchers from Binarly and ESET have uncovered “Bootkitty,” the first-ever UEFI bootkit designed to target Linux systems. This new threat exploits the LogoFAIL vulnerability (CVE-2023-40238), a UEFI firmware flaw, to bypass Secure Boot protections and inject malicious payloads.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Persistence
6 techniques
Persistence
CVE-2026-50507 is a BitLocker bypass requiring physical access... Ten Secure Boot patches this month carry what CVSS calls “scope change,” meaning exploitation pushes past the vulnerable component into boot integrity, Virtual Secure Mode, and pre-OS execution.
Security researchers from Binarly and ESET have uncovered “Bootkitty,” the first-ever UEFI bootkit designed to target Linux systems.
По MITRE ATT&CK это Bootkit (T1542.003) и System Firmware (T1542.001) - persistence и stealth на финальных этапах цепочки.
It’ll then try to preload two unknown executables during the system startup process.
This rogue MokList enables the bootkit to be trusted by the system’s Secure Boot components, allowing it to load during the early boot process.
The bootkit’s main goal is to disable the kernel’s signature verification feature... Another way to tell whether the bootkit is present on the system with UEFI Secure Boot enabled is by attempting to load an unsigned dummy kernel module during runtime. If it’s present, the module will be loaded.
Privilege Escalation
3 techniques
Privilege Escalation
This new threat exploits the LogoFAIL vulnerability (CVE-2023-40238), a UEFI firmware flaw, to bypass Secure Boot protections and inject malicious payloads.
Stealth
6 techniques
Stealth
The bootkit is an advanced rootkit that is capable of replacing the boot loader and of patching the kernel ahead of its execution.
the shellcode restores the original instructions, hiding the exploit activity and effectively clearing all traces of the bootkit.
CVE-2026-50507 is a BitLocker bypass requiring physical access... Ten Secure Boot patches this month carry what CVSS calls “scope change,” meaning exploitation pushes past the vulnerable component into boot integrity, Virtual Secure Mode, and pre-OS execution.
Security researchers from Binarly and ESET have uncovered “Bootkitty,” the first-ever UEFI bootkit designed to target Linux systems.
Defense Impairment
3 techniques
Defense Impairment
The exploit uses embedded shellcode within a BMP image to bypass Secure Boot protections by injecting rogue certificates into the MokList variable.
По MITRE ATT&CK это одновременно Bootkit (T1542.003) для persistence и Code Signing Policy Modification (T1553.006) для defense evasion - Secure Boot формально включён, но фактически удалось его обойти.
The bootkit’s main goal is to disable the kernel’s signature verification feature... Another way to tell whether the bootkit is present on the system with UEFI Secure Boot enabled is by attempting to load an unsigned dummy kernel module during runtime. If it’s present, the module will be loaded.
Credential Access
1 technique
Credential Access
The bootkit’s main goal is to disable the kernel’s signature verification feature... Another way to tell whether the bootkit is present on the system with UEFI Secure Boot enabled is by attempting to load an unsigned dummy kernel module during runtime. If it’s present, the module will be loaded.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
UEFI bootkit referenced as an example payload that can be deployed through a signed vulnerable bootloader to gain persistence below the OS.
UEFI bootkit for Linux that uses a malicious EFI booter to hijack the boot process, attempts to disable Linux kernel signing, preloads loaders via init for persistence across reboots/reinstallations, and leverages LogoFAIL (BMP image parsing) to achieve firmware-level persistence and bypass Secure Boot by injecting rogue certificates into the MokList variant; can replace the boot loader and patch the kernel before execution.
UEFI bootkit targeting Linux (notably Ubuntu) that uses a malicious EFI booter to hijack the boot process, attempts to disable kernel signing, preloads loaders via init for persistence across reboots/reinstallations, and leverages LogoFAIL to achieve firmware-level persistence and bypass Secure Boot by injecting rogue certificates into the MokList variant; can replace the boot loader and patch the kernel before execution.
Bootkitty is a UEFI bootkit that bypasses Secure Boot, enabling attackers to persist below the OS and evade detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.