Since the first known use of a UEFI Bootkit in 2018 by Lojax, a wave of similar threats has emerged, including MosaicRegressor, TrickBot, FinSpy, Especter, MoonBounce, CosmicStrand, and BlackLotus—sold on dark web marketplaces in 2022 and later open-sourced in 2023. This trend highlights the growing cybersecurity threat posed by UEFI Bootkits.

This presentation will provide an overview of Bootkit-related research, starting with fundamental UEFI background knowledge before focusing on how attackers bypass Secure Boot to execute malicious EFI applications and achieve persistence. Unlike BYOVD (Bring Your Own Vulnerable Driver) attacks, Bootkits intervene at the earliest stage of system startup, affecting the initialization of various OS components. Additionally, Bootkits can modify SPI Flash, allowing them to persist even after the operating system is reinstalled.

The session will also analyze the technical aspects of these attacks, including methods for bypassing security mechanisms and execution techniques during the Boot Loader phase. Potential detection and defense strategies will be explored, as well. While traditional antivirus solutions struggle to counter threats at the boot stage, attack preparation activities and post-exploitation behaviors can provide crucial detection opportunities. By shedding light on these threats, this presentation aims to raise awareness of UEFI Bootkits and their impact on modern cybersecurity.