Security researchers at Eclypsium are warning that hackers are increasingly targeting the firmware and boot process to gain deep control over systems, bypass security defenses, and maintain persistence—even across operating system reinstalls or hardware changes. These attacks exploit vulnerabilities in the Unified Extensible Firmware Interface (UEFI), bootloaders, and Secure Boot configurations, allowing adversaries to load malware before the OS or any security software initializes.
“Attackers are increasingly targeting the boot process and firmware to gain persistence, evade detection, and undermine platform security,” Eclypsium said in its latest report.
Attackers Exploit Known Vulnerabilities to Evade Detection and Bypass Secure Boot
Bootkits like BlackLotus, BootHole, and EFILock have proven effective in compromising pre-OS environments. These threats execute before traditional security tools can activate, giving attackers full control of a compromised system. Eclypsium highlighted several key examples:
- The BlackLotus bootkit exploited CVE-2022-21894 in the Windows bootloader, becoming the first known in-the-wild bootkit capable of bypassing Secure Boot.
- The BootHole flaw in the GRUB2 bootloader used in Linux distributions enabled arbitrary code execution even with Secure Boot enabled.
- The EFILock ransomware replaced legitimate bootloaders with malicious versions, locking out users and demanding ransom to restore access.
Hackers also rely on persistent implants like LoJax, MosaicRegressor, and TrickBoot, which survive system reinstalls and even hardware replacements.
Firmware Attacks Enable Complete Control and Deep Persistence
Firmware, or UEFI (commonly known as BIOS), is responsible for initializing hardware and handing off control to the bootloader. If an attacker compromises this stage, they can subvert every security layer that follows.
“An attacker controlling the boot process can subvert all higher-layer security controls, maintain deep persistence, and potentially evade detection by traditional security tools,” Eclypsium noted.
Bootloaders have become more complex, supporting multiple storage types, file systems, network booting, and user interfaces. This growing complexity increases the attack surface, especially for memory safety vulnerabilities.
Eclypsium said attackers frequently abuse storage devices, network interfaces, and console input as entry points to target boot components.
Secure Boot Weaknesses and Signature Policy Gaps Leave Systems Exposed
Secure Boot is designed to validate the integrity of boot components using cryptographic signatures. However, its effectiveness depends on up-to-date signature databases (DBX) and properly configured Shim Boot Advanced Targeting (SBAT) policies.
“Secure Boot only delivers on its security promise when DBX and SBAT policies are current and the platform is configured to enforce signature checks on all boot components,” Eclypsium warned.
Researchers found that outdated DBX entries still trust known-vulnerable bootloaders. Attackers may remove DBX entries, downgrade boot components, or load unsigned binaries, all in an effort to bypass Secure Boot protections.
Attackers may also exploit the UEFI Shell in the boot order to gain interactive access before the OS loads.
Remediation Requires Firmware Restoration and Continuous Monitoring
Eclypsium emphasized that removing such threats is difficult and goes beyond typical malware cleanup.
“Remediation requires a combination of firmware restoration, Secure Boot enforcement, and ongoing monitoring—empowering defenders to reclaim the ‘home-field advantage’ and prevent attackers from creating their playing field at the firmware level,” the report said.
The company has enhanced its security platform to detect suspicious bootloader behaviors and firmware-level threats, in response to the increasing prevalence of these attacks across both enterprise and IoT environments.
