{ "id": "d28418c1-5ca4-4599-8260-1c098092ae04", "created_at": "2026-04-06T00:15:50.014319Z", "updated_at": "2026-04-10T03:32:34.617809Z", "deleted_at": null, "sha1_hash": "059ce5bfa57df7deb58c918f031a0249a5069dec", "title": "MoonBounce: the dark side of UEFI firmware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1112719, "plain_text": "MoonBounce: the dark side of UEFI firmware\r\nBy Mark Lechtik\r\nPublished: 2022-01-20 · Archived: 2026-04-05 18:37:42 UTC\r\nWhat happened?\r\nAt the end of 2021, we were made aware of a UEFI firmware-level compromise through logs from our Firmware Scanner,\r\nwhich has been integrated into Kaspersky products since the beginning of 2019. Further analysis has shown that a single\r\ncomponent within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the\r\noriginal execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.\r\nBy examining the components of the rogue firmware and other malicious artefacts from the target’s network, we were\r\nable to reach the following conclusions:\r\nThe inspected UEFI firmware was tampered with to embed a malicious code that we dub MoonBounce;\r\nDue to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is\r\ncapable of persisting in the system across disk formatting or replacement;\r\nThe purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further\r\npayloads downloaded from the internet;\r\nThe infection chain itself does not leave any traces on the hard drive, as its components operate in memory only,\r\nthus facilitating a fileless attack with a small footprint;\r\nWe detected other non-UEFI implants in the targeted network that communicated with the same infrastructure\r\nwhich hosted the the stager’s payload;\r\nBy assessing the combination of the above findings with network infrastructure fingerprints and other TTPs\r\nexhibited by the the attackers; to the best of our knowledge the intrusion set in question can be attributed to\r\nAPT41, a threat actor that’s been widely reported to be Chinese-speaking;\r\nIn this report we describe in detail how the MoonBounce implant works, how it is connected to APT41, and what other\r\ntraces of activity related to Chinese-speaking actors we were able to observe in the compromised network that could\r\nindicate a connection to this threat actor and the underlying campaign.\r\nRevisiting the current state of the art in persistent attacks\r\nIn the last year, there have been several public accounts on the ongoing trend of UEFI threats. Notable examples include\r\nthe UEFI bootkit used as part of the FinSpy surveillance toolset that we reported on, the work of our colleagues from\r\nESET on the ESPectre bootkit, and a little-known threat activity that was discovered within government organisations in\r\nthe Middle East, using a UEFI bootkit of its own (briefly mentioned in our APT trends report Q3 2021 and covered in\r\nmore detail in a private APT report delivered to customers of our Threat Intelligence Portal).\r\nThe common denominator of those three cases is the fact that the UEFI components targeted for infection reside on the\r\nESP (EFI System Partition), a storage space designated for some UEFI components, typically based in the computer’s\r\nhard drive or SSD. The most notable elements of the ESP are the Boot Manager and OS loader, both invoked during the\r\nmachine’s boot sequence and which also happen to be the subject of tampering in the case of the aforementioned bootkits.\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 1 of 16\n\nWhile all of the above were seen in use by advanced actors, a different class of bootkits raises even higher concern. This\r\none is made up of implants found in the UEFI firmware within the SPI flash, a non-volatile storage external to the hard\r\ndrive. Such bootkits are not only stealthier (partially because of limited visibility by security products into this hardware\r\ncomponent), but also more difficult to mitigate: flashing a clean firmware image in place of a malicious one can prove to\r\nbe more difficult than formatting a hard drive and reinstalling an OS, which would typically eliminate ESP level threats.\r\nMoonBounce is notable for being the third publicly revealed case of an implant from the latter class of firmware-based\r\nrootkits. Previous cases included LoJax and MosaicRegressor, which we reported on during October 2020. In that sense,\r\nMoonBounce marks a particular evolution in this group of threats by presenting a more complicated attack flow in\r\ncomparison to its predecessors and a higher level of technical competence by its authors, who demonstrate a thorough\r\nunderstanding of the finer details involved in the UEFI boot process.\r\nOur discovery: a sophisticated implant within UEFI firmware\r\nThe UEFI implant, which was detected in spring 2021 , was found to have been incorporated by the attackers into the\r\nCORE_DXE component of the firmware (also known as the DXE Foundation), which is called early on at the DXE\r\n(Driver Execution Environment) phase of the UEFI boot sequence. Among other things, this component is responsible for\r\ninitializing essential data structures and function interfaces, one of which is the EFI Boot Services Table – a set of pointers\r\nto routines that are part of the CORE_DXE image itself and are callable by other DXE drivers in the boot chain.\r\nThe source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot\r\nServices Table, namely AllocatePool, CreateEventEx and ExitBootServices. Those hooks are used to divert the flow of\r\nthese functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up\r\nadditional hooks in subsequent components of the boot chain, namely the Windows loader.\r\nThis multistage chain of hooks facilitates the propagation of malicious code from the CORE_DXE image to other boot\r\ncomponents during system startup, allowing the introduction of a malicious driver to the memory address space of the\r\nWindows kernel. This driver, which runs during the initial phases of the kernel’s execution, is in charge of deploying user-mode malware by injecting it into an svchost.exe process, once the operating system is up and running. Finally, the user\r\nmode malware reaches out to a hardcoded C\u0026C URL (i.e. hxxp://mb.glbaitech[.]com/mboard.dll) and attempts to fetch\r\nanother stage of the payload to run in memory, which we were not able to retrieve.\r\nThe diagram below contains the outline of the stages taken from the moment the hooked Boot Services are called in the\r\ncontext of the DXE Foundation’s execution until the user-mode malware is deployed and run during the Operating\r\nSystem’s execution. The full description of each step in the diagram, along with the analysis of both the MoonBounce\r\ndriver and user-mode malware can be found in the technical document released alongside this report.\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 2 of 16\n\nFlow of MoonBounce execution from boot sequence to malware deployment in user space\r\nNote that at the time of writing we lack sufficient evidence to retrace how the UEFI firmware was infected in the first\r\nplace. The infection itself, however, is assumed to have occurred remotely. While previous UEFI firmware compromises\r\n(i.e. LoJax and MosaicRegressor) manifested as additions of DXE drivers to the overall firmware image on the SPI flash,\r\nthe current case exhibits a much more subtle and stealthy technique where an existing firmware component is modified to\r\nalter its behaviour. Notably, particular functions were modified with an inline hook, meaning the replacement of the\r\nfunction prologue with an instruction to divert execution to a function chosen by the attacker. This form of binary\r\ninstrumentation typically requires the attacker to obtain the original image, then parse and change it to introduce\r\nmalicious logic. This would be possible for an attacker having ongoing and remote access to the targeted machine.\r\nOther pieces of malware on the radar\r\nIn addition to MoonBounce, we found infections across multiple nodes in the same network by a known user-mode\r\nmalware dubbed ScrambleCross, also known as SideWalk. This is an in-memory implant, implemented as position-independent code, that can communicate to a C2 server in order to exchange information and stage the execution of\r\nadditional plugins in memory, of which none has been sighted in the wild yet. This malware was thoroughly covered by\r\nour colleagues at Trend Micro and ESET, so we will refer the reader to their excellent write-ups to understand its internals\r\nbetter.\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 3 of 16\n\nThe position-independent code constituting ScrambleCross can be loaded in one of two ways, the first being a C++ DLL\r\nnamed StealthVector. It obtains the ScrambleCross shellcode by applying a modified ChaCha20 algorithm on an\r\nencrypted blob, which may reside as an additional file on disk or be embedded in the loader itself. We detected both\r\nvariants of this loader in the network in question.\r\nStealthVector gets loaded through the introduction of a modified benign system DLL, in which the import address table is\r\npatched to append the malware’s DLL as a dependency. In one case, we observed such altered wbemcomn.dll (MD5:\r\nC3B153347AED27435A18E789D8B67E0A) file, which originally facilitates the functionality of WMI in Windows and\r\nwas located in the directory %SYSTEM%\\wbem. As a consequence, when the WMI service was initiated, the rogue\r\nversion of this DLL forced the loading of a StealthVector image named wmiwk.dll.\r\nAppended IAT entry to a rogue wbemcomn.dll file which forces the loading of StealthVector upon initiation of the\r\nWMI service\r\nThe table below specifies all instances of StealthVector that we detected in the targeted network, along with timestamp\r\nartefacts that might point to the date of their creation.\r\nLoader\r\nFilename\r\nLoader MD5\r\nShellcode\r\nFilename\r\nC\u0026C Address\r\nCompilation\r\nTimestamp\r\nwbwkem.dll 4D5EB9F6F501B4F6EDF981A3C6C4D6FA compwm.bin dev.kinopoisksu[.]com\r\nFriday,\r\n12.06.2020\r\n08:25:02\r\nUTC\r\nwkbem.dll E7155C355C90DC113476DDCF765B187D pcomnl.bin Unknown\r\nTuesday,\r\n24.03.2020\r\n09:09:21\r\nUTC\r\nwmiwk.dll 899608DE6B59C63B4AE219C3C13502F5 wmipl.dll ns.glbaitech[.]com Saturday,\r\n20.02.2021\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 4 of 16\n\n06:45:18\r\nUTC\r\nc_20344.nls 4EF90CEEF2CC9FF3121B34A9891BB28D – 217.69.10[.]104\r\nTuesday,\r\n24.03.2020\r\n09:09:21\r\nUTC\r\nc_20334.nls CFF2772C44F6F86661AB0A4FFBF86833 – st.kinopoisksu[.]com\r\nTuesday,\r\n24.03.2020\r\n09:09:21\r\nUTC\r\nAnother loader that we detected and is commonly used to load ScrambleCross is .NET based, referred to as\r\nStealthMutant. It works by decrypting a shellcode BLOB with AES-256 and injecting it to the address space of another\r\nprocess. The injected process in every case we observed was msdt.exe (Microsoft Diagnostic Troubleshooting Wizard).\r\nStealthMutant is launched in one of two ways, which were partially described in other reports as well. The first way is by\r\nexecuting a launcher utility with the filename System.Mail.Service.dll (MD5: 5F9020983A61446A77AF1976247C443D)\r\nthrough the command line as a service. This is outlined in the following commands typed by the attackers on one of the\r\ncompromised systems:\r\nnet  start \"iscsiwmi\"\r\nsc  stop iscsiwmi\r\nsc  delete iscsiwmi\r\nreg  add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"iscsiwmi\" /t\r\nREG_MULTI_SZ /d \"iscsiwmi\" /f\r\nsc  create \"iscsiwmi\" binPath= \"$system32\\svchost.exe -k iscsiwmi\" type= share start= auto error= ignore\r\nDisplayName= \"iscsiwmi\"\r\nSC  failure \"iscsiwmi\" reset= 86400 actions= restart/60000/restart/60000/restart/60000\r\nsc  description \"iscsiwmi\" \"\"iSCSI WMI Classes That Manage Initiators, Ports, Sessions and Connections\"\"\r\nreg  add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\iscsiwmi\\Parameters\" /f\r\nreg  add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\iscsiwmi\\Parameters\" /v \"ServiceDll\" /t\r\nREG_EXPAND_SZ /d \"$windir\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Mail.Service.dll\" /f\r\nnet  start \"iscsiwmi\"\r\nThe launching utility in turn uses the .NET InstallUtil.exe application in order to execute the StealthMutant image, which\r\nhas the filename Microsoft.Service.Watch.targets, and providing it with the encrypted ScrambleCross shellcode as an\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 5 of 16\n\nargument from a file named MstUtil.exe.config. The utility itself is a basic C++ program that achieves the aforementioned\r\ngoal by issuing the following command line using the WinExec API:\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false\r\n/ConfigFile=MstUtil.exe.config /U\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Microsoft.Service.Watch.targets\r\nThe second way to execute StealthMutant is through the creation of a scheduled task via a Windows batch script file\r\nnamed schtask.bat, as outlined below:\r\n@echo off\r\ncd /d \"%~dp0\"\r\ncopy /Y Microsoft.Service.Watch.targets\r\n\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Microsoft.Service.Watch.targets\"\r\ncopy /Y MstUtil.exe.config \"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MstUtil.exe.config\"\r\nschtasks /create /TN \"\\Microsoft\\Windows\\UNP\\UNPRefreshListTask\" /SC ONSTART /TR\r\n\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false\r\n/ConfigFile=MstUtil.exe.config /U\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Microsoft.Service.Watch.targets\" /F  /DELAY 0000:02\r\n/RU SYSTEM /RL HIGHEST\r\nschtasks /run /TN \"\\Microsoft\\Windows\\UNP\\UNPRefreshListTask\"\r\nThe following table lists known StealthMutant loader IOCs, together with their corresponding ScrambleCross shellcode\r\nfiles and contacted C2 addresses. It’s worth noting that most of the ScrambleCross shellcodes (loaded by both\r\nStealthMutant and StealthVector) reached out to the same server (i.e. ns.glbaitech[.]com) and that StealthMutant was\r\nobserved in this campaign only from February, 2021.\r\nLoader MD5 C\u0026C Address Compilation Timestamp\r\n0603C8AAECBDC523CBD3495E93AFB20C\r\n92.38.178[.]246\r\nTuesday, 23.03.2021 08:00:44 UTC\r\nns.glbaitech[.]com\r\n8C7598061D1E8741B8389A80BFD8B8F5 ns.glbaitech[.]com Saturday, 20.02.2021 03:27:42 UTC\r\nF9F9D6FB3CB94B1CDF9E437141B59E16 ns.glbaitech[.]com Wednesday, 08.12.2021 07:07:28 UTC\r\nIn addition to the above components, we found other stagers and post-exploitation malware implants during our research,\r\nsome of which were attributed to or have been used by known Chinese-speaking threat actors:\r\nMicrocin: a backdoor typically used by the SixLittleMonkeys threat actor, which we have been tracking since\r\n2016. It is worth noting that since its inception, the SixLittleMonkeys group has been using Microcin against\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 6 of 16\n\nvarious targets, partly against high-profile entities based in Russia and Central Asia.\r\nThe implants we observed in this campaign are shipped as DLLs that ought to run in the context of exe, with the\r\nprimary intent of reading a C2 address from an encrypted configuration file stored in\r\n%WINDIR%\\debug\\netlogon.cfg and reaching out to the server to obtain a further payload. Interestingly, the\r\nTrojan holds a scheduling algorithm that would skip any work on Saturdays, checking the local time every hour to\r\ndetermine if Saturday has passed.\r\nMimikat_ssp: a publicly available post-exploitation tool used to dump credentials and security secrets from exe,\r\nalso used widely by various Chinese-speaking actors (e.g. GhostEmperor, which we reported on).\r\nGo implant: a formerly unknown backdoor used to contact a C2 server using a RESTful API, where a\r\ncombination of a hardcoded IP address and a hypermedia directory path on the underlying server are used for\r\ninformation exchange. Both the IP and the server directory path are encrypted with AES-128 using a base64\r\nencoded key stored in the backdoor’s image. The IP and directory path tuple are used during execution for:\r\nInitialising communications with the server;\r\nSending information from the infected host;\r\nRequesting a specific server path containing a command for execution and downloading it;\r\nSending back the result of the command’s execution to the C2 server.\r\nThe commands retrieved from the server are also encrypted with AES-128, with the key stored in the command’s\r\nfile itself. Command execution results are then encrypted using the same key. We found the following list of\r\nsupported commands:\r\nGet list of drives;\r\nGet content list from a specified directory;\r\nDownload a file from the C2 server;\r\nWrite text to a given *.bat file and execute it;\r\nRun a shell command.\r\nIt is important to note that we could not conclusively tie most of those additional pieces of malware to the intrusion set\r\nrelated to MoonBounce, with the exception of Microcin, where some timeline artefacts coincide with other events related\r\nto ScrambleCross, as outlined in the figure below. This suggests a low-confidence connection between Microcin and\r\nMoonBounce and may indicate usage of shared resources between SixLittleMonkeys and APT41 or involvement of the\r\nformer’s operators in the MoonBounce activity.\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 7 of 16\n\nTimeline of events related to artefacts found in the network containing the MoonBounce-infected machine\r\nWho were the targets?\r\nCurrently, our detections indicate a very targeted nature of the attack – the presence of the firmware rootkit was detected\r\nin a single case. Other affiliated malicious samples (e.g. ScrambleCross and its loaders) were found on multiple other\r\nmachines in the same network range. In addition, we found several other victims of an undetermined nature with the same\r\nversions of ScrambleCross reaching out to the same command and control infrastructure. One particular target\r\ncorresponds to an organization in control of several enterprises dealing with transport technology.\r\nWhat were the attackers trying to achieve?\r\nWe traced some of the commands executed by the attackers after gaining a foothold in the network, which point to lateral\r\nmovement and exfiltration of information from particular machines. This aligns in profile with some of the previous\r\noperations by APT41, wherein intrusions were typically made to intervene in the targeted companies’ supply chain, or to\r\nheist sensitive intellectual property and personally identifiable information. The usage of the UEFI implant in particular\r\nindicates the actor’s aim to establish a longstanding foothold within the network, as would be expected in an ongoing\r\nespionage activity.\r\nThe following are examples of command lines that portray some of the methods and actions taken by the operators of this\r\nthreat activity to achieve their goals:\r\nAttempts to enumerate hosts and gather network information:\r\ncmd /C \"C: \u0026 cd \\ \u0026 whoami\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 net view\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 -setcp 866\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 net view\"\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 8 of 16\n\ncmd /C \"C: \u0026 cd \\ \u0026 netstat -ano\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 dir $temp\\ /od\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 arp -a\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 tasklist\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 tracert \u003credacted_internal_ip\u003e\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 net use \\\\\u003credacted_internal_ip\u003e /u:\u003credacted_username\u003e \u003credacted_password\u003e\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 net view \\\\\u003credacted_internal_ip\u003e\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 ping -n 1 -a \u003credacted_internal_ip\u003e\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 net use * /d /y\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 systeminfo\"\r\nCopying of files across SMB shares, followed by an attempt to dump the Active Directory domain database (tid):\r\ncmd /C \"C: \u0026 cd \\ \u0026 echo ntdsutil \\\"ac i ntds\\\" \\\"ifm\\\" \\\"create full $temp\\1\\\\\\\" q q \u003e$temp\\a.bat\r\ncmd /C \"C: \u0026 cd \\ \u0026 type $temp\\a.bat\r\ncmd /C \"C: \u0026 cd \\ \u0026 move $temp\\a.bat \\\\\u003credacted_internal_ip\u003e\\c$\\windows\\temp\\\\\r\nUsage of the Sysinternals Psexec tool for remote command execution in the network (as the renamed version tmp):\r\n$temp\\TS_P61S.tmp  -accepteula -d -s \\\\\u003credacted_internal_ip1\u003e\\ cmd /c \"arp -a \u003e$temp\\TS_P34H.tmp\"\r\n$temp\\TS_P61S.tmp  -accepteula -d -s \\\\\u003credacted_internal_ip2\u003e\\ cmd /c \"ping \u003credacted_internal_ip2\u003e -a\r\n-n 2\u003e$temp\\TS_P34H.tmp\"\r\n$temp\\TS_P61S.tmp  -accepteula -d -s \\\\\u003credacted_internal_ip3\u003e\\ cmd /c \"ping -n 2 -a\r\n\u003credacted_internal_ip2\u003e\u003e$temp\\TS_P34H.tmp\"\r\nUsage of WMI for remote command execution:\r\nwmic  /node:\u003credacted_internal_ip1\u003e /user:\u003credacted_group\u003e\\\u003credacted_user\u003e /password:\r\n\u003creadcted_password\u003e process call create \"cmd /c ping -n 1 -a \u003credacted_internal_ip4\u003e \u003e$temp\\a.tmp\r\nwmic  /node:\u003credacted_internal_ip2\u003e /user:\u003credacted_group\u003e\\\u003credacted_user\u003e /password:\r\n\u003creadcted_password\u003e process call create \"cmd /c netstat -ano \u003e$temp\\a.tmp\r\nwmic  /node:\u003credacted_internal_ip2\u003e /user:\u003credacted_group\u003e\\\u003credacted_user\u003e /password:\r\n\u003creadcted_password\u003e process call create \"cmd /c tracert \u003credacted_internal_ip4\u003e\u003e$temp\\a.tmp\r\nwmic  /node:\u003credacted_internal_ip3\u003e /user:\u003credacted_group\u003e\\\u003credacted_user\u003e /password:\r\n\u003creadcted_password\u003e process call create \"cmd /c ipconfig /all \u003e$temp\\a.tmp\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 9 of 16\n\nwmic  /node:\u003credacted_internal_ip3\u003e /user:\u003credacted_group\u003e\\\u003credacted_user\u003e /password:\r\n\u003creadcted_password\u003e process call create \"cmd /c qwinsta \u003e$temp\\a.tmp\r\nwmic  /node:\u003credacted_internal_ip3\u003e /user:\u003credacted_group\u003e\\\u003credacted_user\u003e /password:\r\n\u003creadcted_password\u003e process call create \"cmd /c net user administrator \u003e$temp\\a.tmp\r\nwmic  /node:\u003credacted_internal_ip3\u003e /user:\u003credacted_group\u003e\\\u003credacted_user\u003e /password:\r\n\u003creadcted_password\u003e process call create \"cmd /c net user admin \u003e$temp\\a.tmp\r\nRemoval of artefacts from the system:\r\ncmd /C \"C: \u0026 cd \\ \u0026 dir $temp\\ /od\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 dir $temp\\*.hive\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 del $temp\\*.hive\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 dir $temp\\*.log\"\r\ncmd /C \"C: \u0026 cd \\ \u0026 type $temp\\silconfig.log\"\r\nFile archiving of remotely collected files, some of which contain *.hive files, possibly for LSA secrets dumping,\r\nwith the exe command line utility:\r\ncmd /C \"C: \u0026 cd \\ \u0026 $temp\\rar.exe a -r wef.rar \\\\\u003credacted_internal_ip1\u003e\\c$\\windows\\temp\\1 -\r\nhp2wsxcde34rfv7788.\"\r\nc:\\windows\\temp\\rar.exe  a -r c:\\windows\\temp\\873.rar \\\\\u003credacted_internal_ip2\u003e\\c$\\windows\\temp\\*.hive\r\n-hp5tgbnhy67ujm3256\r\nNetwork infrastructure\r\nThe main cluster of infrastructure serving the activity of the UEFI implant and ScrambleCross implants is outlined in the\r\ntable below. Note that the attackers maintained the infrastructure from at least March 2020, with some servers seemingly\r\nstill active at the end of 2021 . During the time the actor switched between multiple hosting providers, resulting in a\r\nscattered infrastructure across several ASNs.\r\nDomain IP ASN\r\nmb.glbaitech[.]com 188.166.61[.]146 AS14061 – DIGITALOCEAN-ASN\r\nns.glbaitech[.]com\r\n188.166.61[.]146 AS14061 – DIGITALOCEAN-ASN\r\n172.107.231[.]236 AS40676\r\ndev.kinopoisksu[.]com\r\n172.107.231[.]236 AS40676\r\n193.29.57[.]161 AS48314 – IP-PROJECTS\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 10 of 16\n\nst.kinopoisksu[.]com 136.244.100[.]127 AS20473 – AS-CHOOPA\r\n– 217.69.10[.]104 AS20473 – AS-CHOOPA\r\n– 92.38.178[.]246 AS202422 – GHOST\r\nA careful inspection of the infrastructure shows multiple connections between the servers. It is evident that\r\nMoonBounce’s user-mode stager and a few ScrambleCross instances reached out to a single domain, which resolved to\r\nthe same IP at one point. In addition, there were several overlaps in IPs to which the domains resolved as outlined in the\r\nfigure below, including one IP that was used to park two domains at different points in time.\r\nConnections between infrastructure elements of MoonBounce and ScrambleCross implants found on the same\r\nnetwork\r\nAnother important commonality is a unique self-signed SSL certificate, exhibited by multiple servers in this campaign\r\n(and only a few dozen others in the wild), which represents a noteworthy fingerprint of the attacker’s network activity.\r\nIn addition to the above cluster, we detected two servers related to Microcin’s activity on the same network:\r\nDomain IP ASN\r\nm.necemarket[.]com 172.105.94[.]67 AS63949 – LINODE\r\nholdmem.dbhubspi[.]com 5.188.93[.]132 AS202422 – G-Core Labs\r\nWho is behind the MoonBounce attack?\r\nTo the best of our knowledge, the activity described in this report can be attributed to a group widely known as APT41, or\r\nan actor closely affiliated to it, with medium to high confidence. In part, our findings align with multiple public accounts\r\nfrom the previous year of either APT41 or other threat actors, namely Earth Baku and SparklingGoblin, which are\r\nbelieved to be alternative names for APT41 or share significant resources and TTPs with it.\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 11 of 16\n\nOur conclusion, in particular, is done based on the following factors:\r\nThe loading schemes for ScrambleCross, including the usage of StealthVector and StealthMutant in the infection\r\nchain, are identical to those observed leveraged by Earth Baku and SparklingGoblin. Apart from the loaders\r\nthemselves, their launchers seem identical. The attackers used the unique TTP of initiating the loader execution\r\nthrough exe in all cases observed by us. Particularly Install.bat, as used by Earth Baku and described in the public\r\nreport by Trend Micro mentioned earlier, is highly similar to the sequence of commands used to execute the\r\nInstallUtil launcher in our case.\r\nThe ScrambleCross malware itself, which has been reported in use with both Earth Baku and SparklingGoblin, is\r\nconsidered a variant of CROSSWALK, a piece of malware that was described originally by Mandiant as an APT41\r\ntool and remains distinct to the group, to the best of our knowledge.\r\nA unique certificate retrieved from multiple ScrambleCross C2 servers in the campaign described in this report\r\nwas sent as a response in a few other dozen servers in the wild, a few of them have been previously reported by the\r\nFBI as being part of an APT41-owned infrastructure.\r\nAdditionally, the following observations are worth mentioning:\r\nThe user-mode malware stager deployed by the UEFI implant contains a scheduling logic that is somewhat similar\r\nto one seen in Microcin samples (some of which were also found on infected hosts in this campaign). This suggests\r\nthat these groups may be related through shared resources or a prime contractor.\r\nThe said scheduling algorithm found in the stager can take a 672-bit bitmask to determine when the malware\r\nshould start beaconing the C2 server in an attempt to retrieve the payload, whereby the scheduled working time\r\ncan be decided in a granularity of 15-minute slots (i.e. the stager checks if it is supposed to run in a particular slot\r\nout of the 672 possibilities that constitute a full week, or alternatively sleep for 10 seconds before checking if it has\r\nreached a dedicated working slot again). A similar scheduling methodology occurs in the case of Microcin, but\r\nwith a bitmask that simply represents the days of the week on which the malware ought to be active.\r\nScheduling code used in MoonBounce’s user-mode stager\r\nThe Mimikat_ssp tool found on a few machines in the targeted network has been seen in use by multiple Chinese-speaking threat actors in the past. One recent example is its use in the campaigns of GhostEmperor, as described in\r\na previous report.\r\nSome elements of shellcode leveraged in MoonBounce were spotted in an old rootkit that was part of a malicious\r\nframework dubbed xTalker, which has been seen in the wild since at least 2013, alongside several malware\r\nfamilies affiliated to known actors, e.g. NetTraveler, Enfal and Microcin. It was prominently used against Russian-speaking targets including military, governmental entities and think-tanks.\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 12 of 16\n\nBoth components shared a similar name-hashing algorithm, which is outlined below, along with unique\r\ncorresponding function name hashes (e.g. 0x311B83F, the name hash of ExAllocatePool) that were not seen in use\r\nelsewhere in the wild.\r\nName-hashing algorithm used identically in both MoonBounce and xTalker’s rootkit\r\nIn addition, both pieces of code used a technique of replacing magic marker values within shellcode buffers with\r\npointer addresses during runtime. MoonBounce’s code used the marker 0x1122334455667788, while the xTalker\r\nrootkit’s code used 0x1234567812345678.\r\nMagic marker values replaced during execution within shellcodes in xTalker’s rootkit and MoonBounce\r\nIn the case of xTalker, the above code elements were found within shellcode intended to be staged through an\r\nMBR bootkit. However, it is not clear to what extent it was actually used. This may suggest that the MoonBounce\r\nand xTalker codes were authored by the same, or a closely affiliated, developer.\r\nConclusion\r\nIn September 2020, the US Department of Justice released a series of indictments against members of the APT41 group,\r\ncharging them with a high number of computer intrusions against a variety of targets, both in the private and public\r\nsectors, some of which included high-profile supply chain attacks. The intrusion set described in this report, and in other\r\npublic accounts we referred to, shows that the group did not cease to be active despite these legal proceedings.\r\nMoreover, it is evident that the group maintains a high level of proficiency and sophistication in the development of its\r\ntoolset, gaining a foothold in new areas like UEFI firmware. In this sense, the group has introduced its own innovation to\r\nthis landscape – patching an existing benign core component in the firmware (rather than adding a new driver to it),\r\nthereby turning the UEFI firmware into a highly stealthy and persistent storage for malware in the system.\r\nFollowing previous predictions, we can now say that UEFI threats are gradually becoming a norm. With this in mind,\r\nvendors are taking more precautions to mitigate attacks like MoonBounce, for example by enabling Secure Boot by\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 13 of 16\n\ndefault. We assess that, in this ongoing arms race, attacks against UEFI will continue to proliferate, with attackers\r\nevolving and finding ways to exploit and bypass current security measures.\r\nAs a safety measure against this attack and similar ones, it is recommended to update the UEFI firmware regularly and\r\nverify that BootGuard, where applicable, is enabled. Likewise, enabling Trust Platform Modules, in case a corresponding\r\nhardware is supported on the machine, is also advisable. On top of all, a security product that has visibility into the\r\nfirmware images should add an extra layer of security, alerting the user on a potential compromise if such occurs.\r\nMoonBounce’ indicators of compromise\r\nEFI Rootkit – Malicious CORE_DXE\r\nD94962550B90DDB3F80F62BD96BD9858\r\nModified WMI DLL Launcher\r\nC3B153347AED27435A18E789D8B67E0A\r\nStealthVector\r\n4D5EB9F6F501B4F6EDF981A3C6C4D6FA\r\nE7155C355C90DC113476DDCF765B187D\r\n899608DE6B59C63B4AE219C3C13502F5\r\n4EF90CEEF2CC9FF3121B34A9891BB28D\r\nCFF2772C44F6F86661AB0A4FFBF86833\r\nInstallUtil Launcher\r\n5F9020983A61446A77AF1976247C443D\r\nStealthMutant\r\n0603C8AAECBDC523CBD3495E93AFB20C\r\n8C7598061D1E8741B8389A80BFD8B8F5\r\nF9F9D6FB3CB94B1CDF9E437141B59E16\r\nMicrocin\r\n5FE6CE9C48D0AE98EC2CA1EC9759AAD9\r\n50FF717A8E3106DDBF00FB42212879C5\r\nD98614600775781673B6DF397CC4F476\r\nGo Implant\r\nC9B250099E2DD27BB4170836AC480FE0\r\n97EF7B8FCDCB0C0D9FBB93D0F7E6E3B6\r\nMimikat_SSP\r\n4E4388D7967E0433D400C60475974D50\r\n5F1C7602688E67F299F5BD533FA07880\r\nxTalker Rootkit\r\n45E862964EF4EFDEA181F3927D20E96D\r\n4BC82105403974AA24BF02CFB66B8F7C\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 14 of 16\n\nDomains and IPs\r\nmb.glbaitech[.]com – MoonBounce\r\nns.glbaitech[.]com – ScrambleCross\r\ndev.kinopoisksu[.]com – ScrambleCross\r\nst.kinopoisksu[.]com – ScrambleCross\r\n188.166.61[.]146  – ScrambleCross\r\n172.107.231[.]236 – ScrambleCross\r\n193.29.57[.]161 – ScrambleCross\r\n136.244.100[.]127 – ScrambleCross\r\n217.69.10[.]104 – ScrambleCross\r\n92.38.178[.]246 – ScrambleCross\r\nm.necemarket[.]com – Microcin\r\n172.105.94[.]67 – Microcin\r\nholdmem.dbhubspi[.]com – Microcin\r\n5.188.93[.]132 – Go malware\r\n5.189.222[.]33 – Go malware\r\n5.183.103[.]122 – Go malware\r\n5.188.108[.]228 – Go malware\r\n45.128.132[.]6 – Go malware\r\n92.223.105[.]246 – Go malware\r\n5.183.101[.]21 – Go malware\r\n5.183.101[.]114 – Go malware\r\n45.128.135[.]15 – Go malware\r\n5.188.108[.]22 – Go malware\r\n70.34.201[.]16 – Go malware\r\nFile Names\r\nwbwkem.dll – StealthVector\r\nwkbem.dll – StealthVector\r\nwmiwk.dll – StealthVector\r\nC_20344.nls – StealthVector\r\nC_20334.nls – StealthVector\r\ncompwm.bin – ScrambleCross Shellcode\r\npcomnl.bin – ScrambleCross Shellcode\r\nwmipl.dll – ScrambleCross encrypted shellcode\r\nMicrosoft.Service.Watch.targets – StealthMutant\r\nMstUtil.exe.config – ScrambleCross encrypted shellcode\r\nSystem.Mail.Service.dll – InstallUtil launcher for StealthMutant\r\nschtask.bat – Batch launcher for StealthMutant\r\nCmluaApi.dll – Microcin\r\nScrambleCross Mutexes\r\nGlobal\\GouZUAkmtdpUmves\r\nGlobal\\PtUojBxCOZGVmQQn\r\nGlobal\\EGuUCpyYIJRTQJAV\r\nGlobal\\YCtiqMgRrpLGbfDo\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 15 of 16\n\nSource: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/" ], "report_names": [ "105468" ], "threat_actors": [ { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434550, "ts_updated_at": 1775791954, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/059ce5bfa57df7deb58c918f031a0249a5069dec.pdf", "text": "https://archive.orkl.eu/059ce5bfa57df7deb58c918f031a0249a5069dec.txt", "img": "https://archive.orkl.eu/059ce5bfa57df7deb58c918f031a0249a5069dec.jpg" } }