Home/Threat Actor/MoonBounce
Threat Actor

MoonBounce

moonbounce · china_apt · active since 2021-03

MoonBounce (canonical Kaspersky GReAT operational naming per January 20, 2022 Securelist + press release canonical disclosure by Mark Lechtik + Denis Legezo) is a UEFI firmware bootkit attributed with considerable confidence to APT41 (Chinese-speaking nation-state actor with cyberespionage and cybercrime mission profile since at least 2012, tracked separately in this curated corpus as apt41_wickedpanda also known as Wicked Panda + Barium + Bronze Atlas + Brass Typhoon + Winnti Group), operationally significant as the third publicly-known UEFI firmware bootkit in the wild per Kaspersky chronology (following LoJax ESET 2018 + MosaicRegressor Kaspersky October 2020) with operational deployment since spring 2021.

signature cluster-defining technical achievement is existing-firmware-component modification approach (per Mark Lechtik canonical comparative statement: "while LoJax and MosaicRegressor utilised additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack", specifically modifies CORE_DXE benign UEFI firmware component to introduce logic to load malware during system startup while preserving boot sequence intact.

per Dark Reading Lechtik: "MoonBounce is more sophisticated than LoJax and MosaicRegressor because of the very subtle nature of the binary level changes it makes to a benign UEFI component")

signature memory-only boot sequence propagation no-disk-traces forensic-evasion tradecraft (per Lechtik: "More notably it makes changes to boot sequence components in memory only, through which it allows malicious code to propagate into the operating system", leaves no traces on disk, making attacks much stealthier than predecessors)

operationally deployed against single high-profile entity for long- term-espionage mission per Kaspersky operational assessment ("aimed at long term espionage against a high-profile entity" + "highly stealthy and persistent storage for malware in the system" capability + documented operator behavior of lateral movement + exfiltration of data + archiving files + gathering network information)

SPI flash storage location (non- volatile storage component external to hard disk, operationally resistant to OS reinstallation + hard disk replacement)

attribution basis included other malware artifacts on same victim system (ScrambleCross APT41-attributed malware loader family + low-confidence Microcin connection per Denis Legezo, operationally significant for APT41-Chinese-speaking-threat-actor toolset-sharing pattern)

previously-unknown backdoor with RESTful API hardcoded IP C2 + hypermedia directory path information exchange per The Stack.

single-victim publicly-documented occurrence (UEFI bootkit found in only single case per Kaspersky, with other affiliated malware on networks of several other victims, operationally consistent with high-value-asset operational use pattern where APT41 deploys MoonBounce against only highest-priority targets)

Kaspersky Firmware Scanner technology integrated into Kaspersky products since beginning of 2019 operationally enabled MoonBounce discovery.

fills the 3rd UEFI/firmware bootkit cell in the curated corpus following CosmicStrand (1st) + MosaicRegressor (2nd) and operationally preceding BlackLotus (4th), operationally significant as the canonical "third publicly-known UEFI firmware bootkit" + signature APT41 UEFI capability industry reference point cited as comparative reference in CosmicStrand (Kaspersky July 2022) + BlackLotus (ESET March 2023) + NSA BlackLotus mitigation guidance (June 2023) disclosures.

china_apt confidence: high 13 aliases
Sigma rules200 YARA rules6 Live IOCs0 CVEs exploited0

Profile

MoonBounce (canonical Kaspersky GReAT operational naming per January 20, 2022 Securelist + press release canonical disclosure by Mark Lechtik + Denis Legezo) is a UEFI firmware bootkit attributed with considerable confidence to APT41 (tracked separately in this curated corpus as apt41_wickedpanda), operationally significant as the third publicly-known UEFI firmware bootkit in the wild per Kaspersky chronology (following LoJax ESET 2018 + MosaicRegressor Kaspersky October 2020). Active in the wild since spring 2021 per Kaspersky timeline, operationally deployed against single high- profile entity for long-term-espionage mission per Kaspersky operational assessment. Operational phases: (1) APT41 PREDECESSOR ACTIVITY (2012+).

APT41 / Winnti / Wicked Panda nation-state cluster operations since at least 2012. (2) KASPERSKY FIRMWARE SCANNER DEPLOYMENT (2019). Detection capability that enabled subsequent MoonBounce discovery.

(3) MOONBOUNCE EARLIEST DOCUMENTED ACTIVITY (Spring 2021). UEFI bootkit operational deployment. (4) KASPERSKY CANONICAL DISCLOSURE (January 20, 2022).

MoonBounce + existing-firmware-component modification approach + APT41 considerable-confidence attribution disclosed. (5) CONTINUED INDUSTRY REFERENCE STATUS (2022-2026). Cited as canonical example of existing-firmware-component modification approach in subsequent UEFI bootkit industry tracking.

Signature operational tradecraft
  • Existing-firmware-component modification approach (cluster-defining technical achievement): per Mark Lechtik canonical statement: "while LoJax and MosaicRegressor utilised additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack." Specifically modifies CORE_DXE benign UEFI firmware component to introduce logic to load malware during system startup while preserving boot sequence intact. Operationally distinct from sibling DXE-driver-addition approach.
  • Memory-only boot sequence propagation (signature no-disk-traces): per Lechtik: "More notably it makes changes to boot sequence components in memory only, through which it allows malicious code to propagate into the operating system." Leaves no traces on disk, making attacks much stealthier than predecessors.
  • SPI flash storage location: non-volatile storage component external to hard disk, operationally resistant to OS reinstallation + hard disk replacement.
  • APT41 considerable-confidence attribution (signature): operationally distinct from sibling MosaicRegressor low-confidence Winnti attribution profile.
  • ScrambleCross + adjacent malware ecosystem: ScrambleCross APT41-attributed malware loader family operationally adjacent to MoonBounce on victim networks + low-confidence Microcin connection per Denis Legezo, operationally significant for APT41-Chinese-speaking- threat-actor toolset-sharing pattern.
  • RESTful API hardcoded IP C2 backdoor (signature): previously-unknown backdoor with RESTful API hardcoded IP C2 + hypermedia directory path information exchange per The Stack.
  • Long-term-espionage operational mission profile: per Kaspersky: attack "aimed at long term espionage against a high-profile entity" + lateral movement + data exfiltration + ongoing espionage activity intent.
  • Single-victim publicly-documented occurrence: UEFI bootkit found in only single case per Kaspersky, with other affiliated malware (ScrambleCross) on networks of several other victims, operationally consistent with high-value-asset operational use pattern. The cluster fills the 3rd UEFI/firmware bootkit cell in this curated corpus following cosmicstrand_uefi (1st) + mosaicregressor (2nd) and operationally preceding blacklotus (4th). Operationally significant as the canonical "third publicly-known UEFI firmware bootkit" + signature APT41 UEFI capability industry reference point.

Aliases

13
moonbouncemoon_bouncemoon bouncemoonbounce_uefi_bootkitmoonbounce_firmware_implantmoonbounce spi flash implantscramblecrossscramblecross loadersmicrocinmoonbounce uefimoonbounce apt41moonbounce winnti firmwarethird publicly known uefi bootkit kaspersky 2022

Notable Campaigns

9
2022-2026Continued Industry Reference Status (2022-2026)
2022-2026APT41 Post-2022 Continued Operations
2022MoonBounce Kaspersky Canonical Disclosure (January 20, 2022)
2022Existing-Firmware-Component Modification Approach (Cluster-Defining Technical Achievement)
2021-2022ScrambleCross + Adjacent Malware Ecosystem
2021-2022Long-Term Espionage High-Profile Entity Targeting Mission
2021MoonBounce Earliest Documented Activity (Spring 2021)
2019Kaspersky Firmware Scanner Capability Deployment (2019)
2012+APT41 / Winnti Umbrella Predecessor Activity (2012 Onwards)

Attribution & Reporting

Attributed by
Kaspersky GReAT (canonical January 2022 disclosure, Mark Lechtik + Denis Legezo)Firmware Scanner Kaspersky technology (initial detection capability)Mandiant / Google Threat Intelligence Group (APT41 nation-state attribution context + Brass Typhoon adjacent tracking)Microsoft Threat Intelligence Center (APT41 / Brass Typhoon canonical tracking)Symantec / Broadcom Threat Hunter Team (APT41 industry context)Eclypsium (UEFI security industry analysis)CrowdStrike (APT41 / Wicked Panda industry context)Secureworks (APT41 / Bronze Atlas industry context)Dark Reading (industry analysis)The Stack (industry analysis)
Key reporting
reportKaspersky GReAT (Mark Lechtik + Denis Legezo): MoonBounce, The Dark Side of UEFI Firmware (Securelist + Kaspersky.com press release, January 20, 2022), canonical MoonBounce disclosure
reportKaspersky: More elusive and more persistent, the third known firmware bootkit shows major advancement (press release, January 20, 2022)
reportDark Reading (Jai Vijayan): Researchers Discover Dangerous Firmware-Level Rootkit (industry analysis 2022)
reportThe Stack (Edward Targett): Unique UEFI rootkit MoonBounce modifies existing firmware (2022 industry analysis)
reportEclypsium: MoonBounce industry analysis post-disclosure
reportMandiant / Google Threat Intelligence Group: APT41 industry context (Brass Typhoon canonical tracking)
reportMicrosoft Threat Intelligence Center: APT41 / Brass Typhoon canonical tracking
reportCrowdStrike: APT41 / Wicked Panda industry context
reportSecureworks: APT41 / Bronze Atlas industry context
reportMITRE ATT&CK Group G0096: APT41, adjacent group tracking
reportMalpedia Software Profile: MoonBounce

Operational

State sponsor

Chinese-speaking APT41 nation-state actor attributed with considerable confidence by Kaspersky GReAT January 2022 canonical disclosure, operationally distinct from sibling MosaicRegressor cluster (low-confidence Winnti attribution) through stronger attribution profile to specific named APT cluster (APT41 / Winnti / Wicked Panda / Brass Typhoon / Barium / Bronze Atlas).

APT41 operational characteristics
  • China-affiliated state-aligned cyber threat actor active since at least 2012 per Mandiant / Google Threat Intelligence Group + Kaspersky tracking.
  • Operationally distinct from sibling Chinese-speaking cyber-espionage clusters through signature dual-mission operational profile (state-aligned cyber-espionage + financially-motivated cybercrime operations)
  • Other naming conventions: Barium (Microsoft prior naming), Bronze Atlas (Secureworks), Wicked Panda (CrowdStrike), Brass Typhoon (Microsoft current weather-taxonomy naming), Winnti Group / Winnti umbrella (broader)
  • Tracked separately in this curated corpus as apt41_wickedpanda, MoonBounce represents APT41's signature UEFI bootkit capability acquisition / deployment Kaspersky attribution basis (considerable confidence): (a) Other malware artifacts on same victim system: per Dark Reading + Kaspersky: "Other malware artifacts on the same system pointed to MoonBounce being used as part of a wider cyber-espionage campaign that Kaspersky researchers were able to attribute with a high level of confidence to APT41, a known Chinese-speaking advanced persistent threat (APT) group." The adjacent malware ecosystem (ScrambleCross + others) operationally provided attribution basis to APT41. (b) APT41 toolset signature techniques: per Mark Lechtik: "to tamper with the UEFI, the APT41 actors would have needed a good understanding of the UEFI boot sequence and the vendor-specific implementation of the firmware they attacked. In addition, the underlying hardware platform needed to have allowed writing to the firmware, something that can happen if vulnerabilities are present in the firmware." (c) Chinese-speaking actor toolset sharing pattern: per Denis Legezo (Kaspersky senior security researcher): "While we can't definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one other to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin." Operational discovery: per Kaspersky GReAT January 2022 canonical disclosure: MoonBounce was discovered hidden within the Unified Extensible Firmware Interface (UEFI) firmware of a computer at a customer location. Specifically: malicious implant planted in UEFI firmware within the SPI flash storage on the infected computer's motherboard. The signature operational targeting profile was "aimed at long term espionage against a high-profile entity" per Kaspersky assessment. Operational capability + technical sophistication attribution at high confidence per multiple convergent sources: (1) Kaspersky canonical January 2022 disclosure: Kaspersky GReAT (Mark Lechtik + Denis Legezo) published canonical comprehensive analysis. Per Kaspersky press release: "Kaspersky's researchers have uncovered the third case of a firmware bootkit in the wild. Dubbed MoonBounce, this malicious implant is hidden within a computer's Unified Extensible Firmware Interface (UEFI) firmware, an essential part of computers, in the SPI flash, a storage component external to the hard drive." (2) Existing-firmware-component modification approach (signature cluster-defining): per Mark Lechtik canonical comparative statement: "while LoJax and MosaicRegressor utilised additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack." This existing- firmware-component modification approach is cluster- defining operational tradecraft distinguishing MoonBounce from sibling UEFI/firmware bootkit clusters. Per Dark Reading: "MoonBounce is more sophisticated than LoJax and MosaicRegressor because of the very subtle nature of the binary level changes it makes to a benign UEFI component." (3) Memory-only boot sequence propagation (signature no-disk-traces): per Mark Lechtik: "More notably it makes changes to boot sequence components in memory only, through which it allows malicious code to propagate into the operating system." This means it leaves no traces on disk, making attacks much stealthier than its predecessors. Operationally cluster-defining forensic-evasion-via-memory-only-propagation sophistication. (4) CORE_DXE firmware component target: MoonBounce operationally targets and modifies CORE_DXE benign UEFI firmware component. Changes introduce logic to load malware during system startup, while still preserving the boot sequence intact. (5) SPI flash storage location (signature): per Kaspersky: "UEFI firmware is a critical component in the vast majority of machines; its code is responsible for booting up the device and passing control to the software that loads the operating system. This code rests in what's called SPI flash, a non-volatile storage external to the hard disk. If this firmware contains malicious code, then this code will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete; it can't be removed simply by reformatting a hard drive or reinstalling an OS." (6) RESTful API C2 with hardcoded IP (signature): per The Stack: "Kaspersky's researchers found a number of other stagers and malware on machines during their investigation, including a previously unknown backdoor that was being used to contact a C2 server using a RESTful API, with a hardcoded IP address and a hypermedia directory path on the underlying server used for information exchange." (7) ScrambleCross + adjacent malware ecosystem: per Kaspersky: "the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors. So far, the firmware bootkit has only been found in a single case. However, other affiliated malicious samples (e.g. ScrambleCross and its loaders) have been found on the networks of several other victims." Operationally significant for APT41-Chinese- speaking-actor toolset sharing pattern. (8) Operational mission profile per Kaspersky: attack "aimed at long term espionage against a high- profile entity", found just one example of the UEFI implant attack which provided "highly stealthy and persistent storage for malware in the system" but multiple other likely associated malicious malware samples during investigation. Commands used by attackers throughout activity suggested they were interested in lateral movement and exfiltration of data, given UEFI implant was used, likely attackers were interested in conducting ongoing espionage activity. Operational classification: nation-state APT-attributed UEFI/firmware bootkit cluster representing APT41's signature UEFI capability acquisition / deployment, operationally significant evolution in UEFI bootkit sophistication beyond MosaicRegressor's DXE-driver- addition approach to existing-firmware-component modification approach. The cluster fills the 3rd UEFI/firmware bootkit cell in this curated corpus following cosmicstrand_uefi (1st) + mosaicregressor (2nd). Operationally significant as the canonical "third publicly-known UEFI firmware bootkit in the wild" reference point + signature APT41 UEFI/firmware capability representation.
Motivations
apt41_signature_uefi_firmware_capability_demonstration, long_term_espionage_against_high_profile_entity, sophisticated_state_actor_offensive_cyber_capability_for_intelligence_collection, persistent_firmware_level_implant_for_long_term_espionage, existing_firmware_component_modification_approach_for_subtle_stealthier_attack, memory_only_boot_sequence_propagation_no_disk_traces, lateral_movement_and_data_exfiltration_via_uefi_persistence, chinese_speaking_threat_actor_toolset_sharing_pattern_participation
Sectors
high_profile_entity_long_term_espionagegovernment_officialsintelligence_services_officialscritical_infrastructure_operatorstechnology_companiestelecommunicationsfinancial_serviceshealthcarehigher_educationmanufacturing
Regions
united_statestaiwanhong_kongjapansouth_koreaindiaunited_kingdomgermanyfranceaustraliasoutheast_asia

Techniques Used

60
T1003T1005T1010T1014T1016T1020T1021T1021.002T1021.006T1027T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.003T1059.007T1068T1070T1070.004T1071T1071.001T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1095T1102T1106T1113T1114T1119T1129T1133T1135T1140T1190T1203T1213T1218T1497T1542T1542.001T1542.003T1543T1547T1547.001T1548

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)57/60 · 95%
Analytics (MITRE CAR)27/60 · 45%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)16/60 · 26%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MEMORY ONLY BOOT SEQUENCE PROPAGATIONMICROCINMOONBOUNCE UEFI BOOTKITSCRAMBLECROSSSCRAMBLECROSS LOADERSSPI FLASH STORAGE LOCATION EXTERNAL TO HARD DISK
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin