ESET Research Podcast: Discovering the mythical BlackLotus bootkit

Towards the end of 2022, an unknown threat actor was boasting on underground forums that they had created a new and powerful UEFI bootkit called BlackLotus. Its most distinctive feature? It can bypass UEFI Secure Boot – a feature built into all modern computers to prevent them from running unauthorized software.

What at first sounded like a myth – especially on a fully updated Windows 11 system – turned into a reality months later, when ESET researchers found a sample that perfectly matched this key feature as well as all the other attributes of the advertised bootkit.

In this episode of the ESET Research podcast, ESET Honored Researcher and host of this podcast Aryeh Goretsky talks with ESET Malware Researcher Martin Smolár about how he discovered the threat and what the main findings of his analysis are.

During the discussion, Martin revealed that he initially thought of the BlackLotus sample as a game cheat and described the moment when he realized he had encountered something much more dangerous. To avoid common misunderstandings, Martin also explains the difference between malicious UEFI firmware implants and threats that target “only” EFI partitions. To make the information actionable for our listeners, the final section of the discussion explores preventing and mitigating UEFI attacks.

For more details such as who might be affected by BlackLotus or how threat actors got their hands on bootkits, listen to all episodes of the ESET Research podcast at Spotify, Google Podcasts, Apple Podcastsor PodBeans. And if you like what you hear, subscribe for more.