Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

ESET Discovers UEFI Bootkit in Cyber Espionage Campaign

Threat hunters at ESET are training the spotlight on a previously undocumented UEFI bootkit capable of hijacking the EFI System Partition (ESP) to maintain persistence on infected Windows machines.

Threat hunters at ESET are training the spotlight on a previously undocumented UEFI bootkit capable of hijacking the EFI System Partition (ESP) to maintain persistence on infected Windows machines.

The ESET discovery is the second real-world UEFI bootkit to be publicly documented in recent weeks, following Kaspersky’s report on a new Windows UEFI bootloader fitted into the FinSpy surveillance spyware product.

According to ESET researchers Anton Cherepanov and Martin Smolar, the malware has evaded detection for almost a decade and was engineered to bypass Windows Driver Signature Enforcement to load its own unsigned driver.

“We traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes,” the research team said, noting that the upgrade to UEFI went unnoticed and undocumented for many years. “The days of UEFI (Unified Extensible Firmware Interface) living in the shadows of the legacy BIOS are gone for good.”

ESET named the threat “ESPecter” and warned it is capable of injecting code to set up command-and-control server connections.

[ READ: FinSpy Surveillance Spyware Fitted With UEFI Bootkit ]

ESET, which sells anti-malware software to corporate customers around the world, said the bootkit was spotted on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities 

From the ESET report:

By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup. 

This driver then injects other user-mode components into specific system processes to initiate communication with ESPecter’s C&C server and to allow the attacker to take control of the compromised machine by downloading and running additional malware or executing C&C commands.

The researchers say they were not able to attribute ESPecter to any known threat actor, but noted there were signs of Chinese debug messages in the user-mode client component, a suggestion that an unknown Chinese-speaking threat actor may be behind this campaign.

“After all the years of insignificant changes, those behind ESPecter apparently decided to move their malware from legacy BIOS systems to modern UEFI systems. They decided to achieve this by modifying a legitimate Windows Boot Manager binary (bootmgfw.efi) located on the ESP while supporting multiple Windows versions spanning Windows 7 through Windows 10,” the team said.

[ READ: Russian Cyberspies Use UEFI Rootkit in Attacks ]

The persistence method only works if the Secure Boot feature in Windows is disabled, a reality on older versions of Microsoft’s operating system. 

For Windows OS versions that support Secure Boot, ESET said the attacker could disable the feature via an “evil maid” physical access attack or exploiting additional security vulnerabilities to expand the attack. 

“ESPecter shows that threat actors are relying not only on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly,” the researchers said.

Related: FinSpy Surveillance Spyware Fitted With UEFI Bootkit

Related: China-Linked Hackers Used UEFI Malware in Attacks

Related: Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper

Related: Russian Hackers Using Bootkit to Steal Payment Data

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...