Home/Threat Actor/BlackLotus
Threat Actor

BlackLotus

blacklotus · commercial_cybercrime_uefi_bootkit · active since 2022-10

BlackLotus (canonical bootkit naming per ESET March 1, 2023 WeLiveSecurity canonical disclosure by Martin Smolár "BlackLotus UEFI Bootkit: Myth Confirmed") is a commercial UEFI bootkit, operationally significant as the first publicly-known UEFI bootkit bypassing UEFI Secure Boot on fully-patched Windows 11 systems + the first commercial UEFI bootkit category cluster in publicly-tracked UEFI bootkit ecosystem (operationally distinct from sibling nation-state-attributed UEFI bootkit clusters CosmicStrand + MosaicRegressor + MoonBounce all curated separately, through commercial dark-web sales business model, sold on underground hacking forums since at least October 2022 at $5,000 base price plus $200 per new subsequent version per ESET + Sergey Lozhkin Kaspersky October 2022 identification)

signature CVE-2022-21894 Baton Drop Secure Boot Security Feature Bypass Vulnerability exploitation (cluster-defining exploit chain, Microsoft patched January 2022 Patch Tuesday but affected validly-signed binaries not added to UEFI revocation list, operationally enabling BlackLotus to bring own copies of legitimate-but-vulnerable signed binaries via Bring Your Own Vulnerable Driver (BYOVD) approach + signature vulnerable signed boot manager rollback mechanism)

signature Machine Owner Key (MOK) enrollment persistence (writes own MOK to MokList Boot-services-only NVRAM variable, uses legitimate Microsoft-signed shim for loading self- signed UEFI bootkit instead of exploiting vulnerability on every boot)

signature OS security mechanisms disablement capability (BitLocker + HVCI Hypervisor- protected Code Integrity + Windows Defender disablement per ESET + Microsoft + Intel 471)

compact 80KB Assembly + C implementation with anti-removal Ring0/ Kernel protection + ESP file handle protection + BSOD trigger on handle close attempts + anti-VM + anti-debug + code obfuscation analysis-evasion features per ESET; EFI System Partition (ESP) deployment + privileged/ physical access deployment requirement (not initial access vector, operationally complements other vectors as persistence + defense-evasion mechanism per Microsoft)

HTTP downloader user-mode payload + kernel driver post-exploitation infrastructure with HTTPS C2 communication + downloading additional kernel drivers/ DLLs/executables + fetching bootkit updates + uninstalling bootkit capability.

signature post-Soviet geofencing operator OPSEC tradecraft (avoids Armenia + Belarus + Kazakhstan + Moldova + Romania + Russia + Ukraine, operationally suggesting Russian-speaking developer operational security considerations); Microsoft canonical April 11, 2023 investigation guidance + Microsoft CVE-2023-24932 May 2023 follow-on revocation patch addressing BYOVD vulnerable boot manager rollback + NSA canonical BlackLotus Mitigation Guide June 22, 2023 (CSI U/OO/167397-23) + Microsoft Secure Boot trust anchor DBX update wave April 2024+ multi-year remediation effort.

per Eclypsium Scott Scheferman: BlackLotus "represents a significant advancement in terms of ease of use, scalability, accessibility, and potential impact in terms of persistence, evasion, and destruction" operationally enabling non-nation-state-tier cybercriminals to acquire UEFI bootkit capability at $5K price point, fundamentally lowering barriers to UEFI bootkit deployment that previously required state-actor-tier capability investment.

fills the 4th UEFI/firmware bootkit cell in the curated corpus following CosmicStrand (1st) + MosaicRegressor (2nd) + MoonBounce (3rd), operationally significant as the canonical "first publicly-known UEFI bootkit bypassing Secure Boot on fully-patched Windows 11" industry reference point + first commercial UEFI bootkit category baseline.

ongoing dark-web availability through 2022-2026 period despite Microsoft + NSA mitigation efforts illustrates UEFI bootkit patch-deployment lag vulnerability windows that persist even after sophisticated mitigation engineering by vendor + government partners.

commercial_cybercrime_uefi_bootkit confidence: high 15 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited2

Profile

BlackLotus (canonical bootkit naming per ESET March 1, 2023 WeLiveSecurity canonical disclosure by Martin Smolár "BlackLotus UEFI Bootkit: Myth Confirmed") is a commercial UEFI bootkit, operationally significant as the first publicly-known UEFI bootkit bypassing UEFI Secure Boot on fully-patched Windows 11 systems + the first commercial UEFI bootkit category cluster in publicly-tracked UEFI bootkit ecosystem, operationally distinct from sibling nation-state-attributed UEFI bootkit clusters (CosmicStrand + MosaicRegressor + MoonBounce all curated separately) through commercial dark-web sales business model. First emerged on underground hacking forums advertising starting October 2022 (per Kaspersky Sergey Lozhkin identification) at $5,000 base price plus $200 per new subsequent version. Operationally available through 2022-2026 period despite Microsoft + NSA mitigation efforts.

Operational phases: (1) CVE-2022-21894 BATON DROP MICROSOFT PATCH (January 2022). Patch released but affected validly-signed binaries not added to UEFI revocation list, operationally enabling subsequent BYOVD exploitation. (2) BLACKLOTUS HACKING FORUM EMERGENCE (October 2022).

Sergey Lozhkin first identifies BlackLotus advertising. (3) ESET CANONICAL DISCLOSURE (March 1, 2023). Martin Smolár "Myth Confirmed" comprehensive analysis published.

(4) MICROSOFT INVESTIGATION GUIDANCE (April 11, 2023). Microsoft Security Blog analyst-facing guidance. (5) MICROSOFT CVE-2023-24932 PATCH (May 2023).

Follow-on revocation patch addressing BYOVD vulnerable boot manager rollback. (6) NSA BLACKLOTUS MITIGATION GUIDANCE (June 22, 2023). Canonical US Government mitigation framework.

(7) SECURE BOOT TRUST ANCHOR DBX UPDATE WAVE (April 2024+). Multi-year remediation effort. (8) ONGOING DARK-WEB AVAILABILITY (2022-2026).

Continues to be available on hacking forums.

Signature operational tradecraft
  • First publicly-known UEFI bootkit bypassing Secure Boot on fully-patched Windows 11 (cluster-defining): per ESET, operationally distinct cluster-defining capability.
  • Commercial cybercrime origin (signature): $5,000 base + $200 per version on dark-web hacking forums, operationally distinct from nation-state-attributed sibling clusters.
  • CVE-2022-21894 Baton Drop exploitation (cluster- defining): signature Secure Boot Security Feature Bypass Vulnerability exploitation. Microsoft patched January 2022 but affected validly-signed binaries not added to UEFI revocation list.
  • Bring Your Own Vulnerable Driver (BYOVD) approach (signature): brings own copies of legitimate-but- vulnerable signed binaries to system to exploit vulnerability.
  • Machine Owner Key (MOK) enrollment persistence (signature): writes own MOK to MokList Boot-services- only NVRAM variable. Uses legitimate Microsoft-signed shim for loading self-signed UEFI bootkit instead of exploiting vulnerability on every boot.
  • OS security mechanisms disablement (signature): BitLocker + HVCI + Windows Defender disablement capability.
  • Compact 80KB Assembly + C implementation (signature): operationally efficient bootkit footprint.
  • Anti-removal + anti-VM + anti-debug + code obfuscation (signature): Ring0/Kernel protection + handle protection + BSOD trigger on handle close attempts.
  • EFI System Partition (ESP) deployment: malicious files deployed to ESP launched by UEFI firmware.
  • Privileged/physical access deployment requirement: not initial access vector, operationally complements other vectors as persistence + defense-evasion mechanism.
  • HTTP downloader user-mode payload + kernel driver (signature): HTTPS C2 communication + downloading additional payloads + uninstalling bootkit.
  • Post-Soviet geofencing tradecraft (signature): avoids Armenia + Belarus + Kazakhstan + Moldova + Romania + Russia + Ukraine, operationally suggesting Russian-speaking developer OPSEC tradecraft. The cluster fills the 4th UEFI/firmware bootkit cell in this curated corpus following cosmicstrand_uefi (1st) + mosaicregressor (2nd) + moonbounce (3rd). Operationally significant as the canonical "first publicly-known UEFI bootkit bypassing Secure Boot on fully-patched Windows 11" industry reference point + first commercial UEFI bootkit category baseline.

Aliases

15
blacklotusblack_lotusblack lotusblacklotus_uefi_bootkitbaton_dropbaton dropcve_2022_21894cve-2022-21894cve_2023_24932cve-2023-24932blacklotus bootkitblacklotus uefiblacklotus windows 11 secure boot bypassblacklotus 5000 dollar dark web bootkitfirst uefi bootkit bypass secure boot windows 11

Notable Campaigns

8
2024+Secure Boot Trust Anchor + DBX Update Wave (April 2024+)
2023BlackLotus ESET Canonical Disclosure (March 1, 2023)
2023Microsoft BlackLotus Investigation Guidance (April 11, 2023)
2023Microsoft CVE-2023-24932 Revocation Patch (May 2023)
2023NSA BlackLotus Mitigation Guidance (June 22, 2023)
2022-2026Ongoing BlackLotus Dark-Web Availability (2022-2026)
2022CVE-2022-21894 Baton Drop Microsoft Patch (January 2022)
2022BlackLotus First Hacking Forum Advertising (October 2022)

Attribution & Reporting

Attributed by
ESET WeLiveSecurity (canonical March 1 2023 disclosure, Martin Smolár)Kaspersky (Sergey Lozhkin October 2022 first identification of BlackLotus advertising)Microsoft Security Response Center (CVE-2022-21894 patch January 2022 + CVE-2023-24932 follow-on May 2023)Microsoft Threat Intelligence Center (Guidance for investigating attacks using CVE-2022-21894, The BlackLotus campaign, April 11, 2023)US National Security Agency NSA (canonical BlackLotus Mitigation Guide June 22, 2023, CSI U/OO/167397-23)Eclypsium (Scott Scheferman industry analysis)The Hacker NewsDark ReadingSOC PrimePolyswarm (industry analysis)Intel 471DarkRelayGBHackers
Key reporting
reportESET WeLiveSecurity (Martin Smolár): BlackLotus UEFI Bootkit, Myth Confirmed (March 1, 2023), canonical BlackLotus first-public-analysis
reportMicrosoft Threat Intelligence Center: Guidance for investigating attacks using CVE-2022-21894, The BlackLotus campaign (April 11, 2023), canonical Microsoft investigation guidance
reportUS National Security Agency NSA: BlackLotus Mitigation Guide CSI U/OO/167397-23 PP-23-1628 (June 22, 2023), canonical US Government mitigation framework
reportMicrosoft Windows IT Pro blog: Revoking vulnerable Windows boot managers (CVE-2023-24932 May 2023 + DBX update wave April 2024)
reportKaspersky (Sergey Lozhkin): BlackLotus first identification October 2022, sophisticated crimeware solution assessment
reportEclypsium (Scott Scheferman): BlackLotus industry impact analysis
reportThe Hacker News: BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11 (March 2023)
reportPolyswarm: BlackLotus UEFI Bootkit threat bulletin (March 2023)
reportIntel 471: Navigating the BlackLotus Threat (industry analysis)
reportSOC Prime: BlackLotus UEFI Bootkit Detection, Sigma rules (March 2023)
reportMITRE ATT&CK Software: BlackLotus
reportMalpedia Software Profile: BlackLotus

Operational

State sponsor

Commercial cybercrime / private-sector offensive capability vendor, operationally distinct from sibling UEFI/firmware bootkit clusters through commercial dark-web sales business model rather than nation-state-attributed origin. Operationally one of the relatively few publicly-tracked UEFI bootkits with commercial cybercrime origin (most publicly-known UEFI bootkits are attributed to nation-state APT clusters per industry analysis). Operational pricing + distribution: per ESET + The Hacker News + multiple convergent sources: BlackLotus offered for sale on underground hacking forums since at least October 2022 at $5,000 base price with $200 per new subsequent version.

Per ESET research: "the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022." Initial public attention: Kaspersky security researcher Sergey Lozhkin October 2022 first identified BlackLotus advertising on hacking forums and described it as a sophisticated crimeware solution. Per Microsoft + The Hacker News retrospective: "Details about BlackLotus first emerged in October 2022, with Kaspersky security researcher Sergey Lozhkin describing it as a sophisticated crimeware solution." Per Eclypsium's Scott Scheferman: BlackLotus "represents a significant advancement in terms of ease of use, scalability, accessibility, and potential impact in terms of persistence, evasion, and destruction." Canonical ESET disclosure: Slovak cybersecurity company ESET (researcher Martin Smolár) published canonical first-public-analysis on March 1, 2023, confirming the previously-myth-status bootkit and providing comprehensive technical analysis. Per ESET title myth confirmed framing: "BlackLotus UEFI bootkit: Myth confirmed", operationally significant for the industry pattern of skepticism prior to ESET technical confirmation.

Operational developer attribution speculation: per industry analysis + geofencing tradecraft signature pattern: BlackLotus contains geofencing capabilities to avoid infecting computers in Armenia + Belarus + Kazakhstan + Moldova + Romania + Russia + Ukraine, operationally consistent with post-Soviet / former-CIS- countries operator OPSEC tradecraft pattern, suggesting Russian-speaking developer operational security considerations. Operationally distinct from sibling nation-state-attributed UEFI bootkit clusters which typically do not exhibit such geofencing. Operational capability + technical sophistication attribution at high confidence per multiple convergent sources: (1) ESET canonical March 1, 2023 disclosure: Martin Smolár published canonical comprehensive technical analysis "BlackLotus UEFI Bootkit: Myth Confirmed" on WeLiveSecurity.

Per ESET: "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality.

" Per Martin Smolár: "the first publicly known UEFI bootkit bypassing the essential platform security feature
  • UEFI Secure Boot.
  • is now a reality." (2) CVE-2022-21894 Baton Drop signature exploitation (cluster-defining): per ESET: "BlackLotus, in a nutshell, exploits a security flaw tracked as CVE-2022-21894 (aka Baton Drop) to get around UEFI Secure Boot protections and set up persistence." Per Martin Smolár: "It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability." Microsoft patched CVE-2022-21894 in January 2022 Patch Tuesday but affected validly- signed binaries were not added to UEFI revocation list , operationally enabling BlackLotus to bring its own copies of legitimate-but-vulnerable signed binaries via Bring Your Own Vulnerable Driver (BYOVD) approach. (3) Bring Your Own Vulnerable Driver (BYOVD) approach (signature): per The Hacker News: "BlackLotus takes advantage of this, bringing its own copies of legitimate.
  • but vulnerable.
  • binaries to the system in order to exploit the vulnerability, effectively paving the way for Bring Your Own Vulnerable Driver (BYOVD) attacks." (4) Machine Owner Key (MOK) enrollment persistence (signature): per ESET: BlackLotus sets persistence by writing its own MOK to the MokList Boot-services-only NVRAM variable. By doing this, it can use a legitimate Microsoft-signed shim for loading its self-signed (signed by the private key belonging to the key written to MokList) UEFI bootkit instead of exploiting the vulnerability on every boot. (5) OS security mechanisms disablement capability (signature): per ESET: BlackLotus is capable of disabling OS security mechanisms such as BitLocker + HVCI (Hypervisor-protected Code Integrity) + Windows Defender. Once installed, the bootkit's main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and an HTTP downloader responsible for communication with C&C and capable of loading additional user-mode or kernel-mode payloads. (6) Compact 80KB Assembly + C implementation (signature): per The Hacker News: "Offered for sale at $5,000 (and $200 per new subsequent version), the powerful and persistent toolkit is programmed in Assembly and C and is 80 kilobytes in size." (7) Anti-removal + anti-VM + anti-debug + code obfuscation features (signature): per ESET: "BlackLotus's advertisement on hacking forums claims that the bootkit has built-in Ring0/Kernel protection against removal." Per ESET verification: "Its kernel driver protects handles belonging to its files on the EFI System Partition (ESP) against closing. As an additional layer of protection, these handles are continuously monitored and a Blue Screen Of Death (BSOD) triggered if any of these handles are closed." Additional features: anti- virtual-machine + anti-debug + code obfuscation to block malware analysis attempts. (8) EFI System Partition (ESP) deployment: per Microsoft + ESET: "The malware uses CVE-2022-21894 (also known as Baton Drop) to bypass Windows Secure Boot and subsequently deploy malicious files to the EFI System Partition (ESP) that are launched by the UEFI firmware." (9) Privileged/physical access deployment requirement (signature): per Microsoft: BlackLotus "is not a first-stage payload or an initial access vector and can only be deployed to a device to which a threat actor has already gained either privileged access or physical access." Operationally significant for adversary modeling, BlackLotus operationally complements other initial access vectors (phishing + perimeter device compromise + RAT deployment + etc.) as a persistence + defense-evasion mechanism rather than as an initial access vector. (10) HTTP downloader user-mode payload + kernel driver (signature): post-exploitation BlackLotus deploys kernel driver (for elevated privilege + persistence) and HTTP downloader user-mode payload (for C2 communication via HTTPS + downloading and executing additional kernel drivers + DLLs + regular executables + fetching bootkit updates + uninstalling bootkit from infected system). Operational classification: commercial cybercrime UEFI bootkit representing the first publicly-known commercial UEFI bootkit category, operationally distinct from sibling nation-state-attributed UEFI bootkit clusters through commercial dark-web sales business model. Operationally significant evolution in UEFI bootkit ecosystem accessibility, per Eclypsium Scott Scheferman: "represents a significant advancement in terms of ease of use, scalability, accessibility, and potential impact." Operationally enabled non-nation- state-tier cybercriminals to acquire UEFI bootkit capability at $5K price point, fundamentally lowering barriers to UEFI bootkit deployment that previously required state-actor-tier capability investment. The cluster fills the 4th UEFI/firmware bootkit cell in this curated corpus following cosmicstrand_uefi (1st) + mosaicregressor (2nd) + moonbounce (3rd). Operationally significant as the canonical "first publicly-known UEFI bootkit bypassing Secure Boot on fully-patched Windows 11" industry reference point + first commercial UEFI bootkit category baseline.
Motivations
first_commercial_uefi_bootkit_bypassing_secure_boot_capability_provision, cve_2022_21894_baton_drop_secure_boot_bypass_exploitation, byovd_bring_your_own_vulnerable_driver_secure_boot_bypass_approach, dark_web_hacking_forum_commercial_sales_business_model, cybercrime_uefi_persistence_capability_provision, bitlocker_hvci_windows_defender_disablement_capability, kernel_driver_anti_removal_persistence_protection, http_downloader_user_mode_payload_command_and_control, anti_vm_anti_debug_code_obfuscation_malware_analysis_evasion, post_soviet_geofencing_operator_opsec_tradecraft
Sectors
all_sectors_via_cybercrime_customersgovernment_officialscritical_infrastructure_operatorsfinancial_serviceshigh_value_individual_targetsdefense_industrial_baseenterprise_organizations
Regions
global_excluding_post_soviet_statesgeofencing avoids armeniageofencing avoids belarusgeofencing avoids kazakhstangeofencing avoids moldovageofencing avoids romaniageofencing avoids russiageofencing avoids ukraine

Techniques Used

60
T1003T1005T1010T1012T1014T1016T1020T1027T1027.002T1027.005T1027.009T1029T1033T1036T1036.001T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.003T1059.007T1068T1070T1070.004T1071T1071.001T1074T1078T1078.001T1078.003T1082T1083T1087T1090T1090.001T1095T1102T1106T1113T1114T1119T1129T1134T1140T1190T1203T1218T1485T1497T1497.001T1497.003T1518T1531T1542T1542.001

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)55/60 · 91%
Analytics (MITRE CAR)23/60 · 38%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MACHINE OWNER KEY MOK ENROLLMENT PERSISTENCEMICROSOFT SIGNED SHIM HIJACK FOR SELF-SIGNED BOOTKIT LOADINGMOKLIST BOOT SERVICES ONLY NVRAM VARIABLE MANIPULATION

CVEs Exploited

2
CVECVE-2022-21894
CVECVE-2023-24932
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin