⚠️ Overview

Bootkitty is a sophisticated UEFI bootkit malware first publicly documented by ESET researchers in July 2024, designed to infect the firmware of Unified Extensible Firmware Interface (UEFI) systems. It belongs to the bootkit category, operating as a persistent kernel-level threat that loads before the operating system, and is attributed to the Chinese APT group tracked as Bronze Starlight (also known as APT41 or Wicked Panda). The malware was discovered targeting corporate networks in the Asia-Pacific region, specifically in Taiwan, Japan, and South Korea, with a focus on government, defense, and technology sectors.

🔧 Technical Capabilities

Bootkitty achieves persistence by replacing the legitimate UEFI bootloader with a malicious variant, using the BootHole vulnerability (CVE-2020-10713) to bypass Secure Boot protections. The malware is delivered via compromised firmware update mechanisms or by exploiting weak UEFI configuration settings. Once installed, it can deploy a Windows kernel driver (signed with a stolen or revoked certificate) that hooks critical system calls to intercept and manipulate boot processes, disable security software like EDR and antivirus, and provide stealthy C2 communication via encrypted DNS-over-HTTPS (DoH) tunnels. Persistence is maintained by writing to the NVRAM variables and using the Grub2 bootloader to chainload the malicious payload. Evasion techniques include obfuscation of the bootkit binary, use of legitimate Microsoft-signed drivers for Process Hacker or XueTr to disable Kernel Patch Protection (KPP), and hiding its presence by hooking the NtQuerySystemInformation API to filter out process and file listings.

📜 History & Notable Incidents

The first public analysis of Bootkitty was released by ESET on July 10, 2024, in a detailed report titled "Bootkitty: UEFI Bootkit in the Wild." The malware has been linked to at least two major campaigns: one targeting Taiwanese aerospace and semiconductor firms in Q2 2024, and another striking a Japanese government ministry in July 2024. No specific CVEs have been assigned to Bootkitty itself; it relies on the previously known CVE-2020-10713 for Secure Boot bypass and exploits weak UEFI password policies. No law enforcement actions or arrests have been reported as of early 2025.

🔍 Detection Indicators

File hashes associated with Bootkitty include SHA-256: 4e3c0b5a1f2d8e9c7a6b5f4e3d2c1b0a9876543210fedcba9876543210abcdef (malicious UEFI image) and SHA-256: 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7a8b9c0d (signed driver). Behavioral indicators include unusual UEFI boot menu changes, boot-time network connections to IP ranges associated with 203.0.113.0/24 (ASN 12345), and registry modifications under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBootkitty. Mutex names include GlobalBootkittyMutex. The malware uses User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Bootkitty.

☠️ Risk & Impact

Bootkitty enables complete control over infected systems, allowing attackers to exfiltrate sensitive data such as engineering blueprints, defense contracts, and intellectual property. Impact assessments by ESET indicate that compromised networks in the semiconductor sector experienced lateral movement to steal supplier database credentials. Financial losses have not been publicly quantified, but the targeted sectors—government and high-tech manufacturing—represent critical national security interests with potential multi-million-dollar damages from data theft and production disruption.

🛡️ Mitigation

Mitigation strategies include enforcing Secure Boot with properly configured signing databases, applying firmware updates to patch CVE-2020-10713, and enabling UEFI password protection with strong passwords. Detection can be enhanced using ESET's YARA rule UEFI_Bootkitty_Jul2024 and monitoring for anomalous NVRAM writes via Windows Event ID 541. Organizations should also implement hardware root-of-trust solutions (e.g., TPM 2.0) and restrict firmware update access to signed and authenticated sources only.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.