BlackLotus Windows UEFI bootkit is being advertised on the dark web

BlackLotus Windows UEFI bootkit is being advertised on the dark web

A threat actor is selling on underground criminal forums a new UEFI bootkit that can disable or bypass security solutions and controls.

Dubbed “Black Lotus,” the bootkit comes with a slew of features, including anti-virtualization, anti-debugging, and code obfuscation, and can disable security applications and defense mechanisms on target machines, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The Windows bootkit can also bypass User Access Control (UAC) and secure boot mechanisms, load unsigned drivers, and can operate within an environment undetected for a long time, perhaps years, according to Eclypsium CTO Scott Scheferman.

“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we've made (e.g. Trickbot's Trickboot module), this represents a bit of a 'leap' forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction,” Scheferman wrote in a blog post.

“It should be noted, too, that until we or someone obtains a sample of this malware and runs it on a close-to-production box in a lab, there is always the chance it isn't ready for show time yet, or certain aspects of its features aren't working right, or even the chance the entire thing is a scam. Of note, is that should this NOT be a scam, it may be indicative of a new boot loader vulnerability present across a wide distribution of device makers/types,” he added.

Written in Assembly and C, the bootkit is only 80 kilobytes on disk after installation and features geofencing, to avoid infecting countries in the CIS region. The tool is offered for sale at $5,000 per license, with additional $200 for new versions.


Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025