{ "id": "2ad92460-8ce6-49f8-83e3-d43fbf5c2950", "created_at": "2026-04-06T00:08:10.59617Z", "updated_at": "2026-04-10T03:30:33.166007Z", "deleted_at": null, "sha1_hash": "21e5722ac0438b8022ac285b3652e09cf85bb4a1", "title": "Source code for BlackLotus Windows UEFI malware leaked on GitHub", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3668057, "plain_text": "Source code for BlackLotus Windows UEFI malware leaked on GitHub\r\nBy Bill Toulas\r\nPublished: 2023-07-13 · Archived: 2026-04-05 23:51:20 UTC\r\nThe source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused\r\ngreat concern among the enterprise, governments, and the cybersecurity community.\r\nBlackLotus is a Windows-targeting UEFI bootkit that bypasses Secure Boot on fully patched Windows 11 installs, evades\r\nsecurity software, persists on an infected system, and executes payloads with the highest level of privileges in the operating\r\nsystem.\r\nIts features include impairing the BitLocker data protection feature, the Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity (HVCI) - also known as the Memory Integrity feature that protects against attempts to exploit the\r\nWindows Kernel.\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWindows Secure Boot is a security feature that blocks untrusted bootloaders on computers with Unified Extensible\r\nFirmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip. This security feature is meant to prevent\r\nrootkits from loading during the startup process and evade detection by applications running in Windows.\r\nBlackLotus was the first discovered example of a UEFI bootkit that could bypass the Secure Boot mechanism and turn off\r\nOS-level security protections. This was accomplished initially by exploiting the \"Baton Drop\" vulnerability (CVE-2022-\r\n21894), which Microsoft patched in January 2022.\r\nBypasses were found for the security update, allowing BlackLotus to continue to operate and forcing Microsoft to play\r\ncatchup by revoking additional Windows Boot Managers. \r\nThis led to another security update for CVE-2023-24932 (another Secure Boot Security Feature Bypass) that revoked further\r\nmalicious boot managers.\r\nHowever, Microsoft disabled the security update for CVE-2023-24932 by default, requiring Windows users to perform a\r\nlengthy and somewhat complicated manual installation to patch their systems.\r\nAs Microsoft warned that incorrectly installing the security fix could cause your system not to start or be recoverable from\r\nWindows installation media, many decided not to install the update, leaving devices vulnerable to Secure Boot bypass\r\nattacks.\r\n\"If you use Secure Boot and incorrectly perform the steps on this article, you might be unable to start or recover your device\r\nfrom media,\" explained Microsoft in a support bulletin.\r\n\"This can prevent you from using recovery media, such as discs or external drives, or network boot recovery, if the media\r\nhas not been correctly updated.\"\r\nDue to the concern and stealthiness of the BlackLotus malware, both Microsoft and the NSA shared guidance on detecting\r\nand removing the bootkit from Windows.\r\nThe BlackLotus source code leak\r\nBlackLotus was initially sold on hacker forums for as little as $5,000, allowing threat actors of all skills to gain access to\r\nmalware usually associated with state-sponsored hacking groups.\r\nHowever, the threat actor kept the source code private, offering rebuilds for $200 to customers who wanted to customize the\r\nbootkit.\r\nToday, security firm Binarly told BleepingComputer that the source code of the BlackLotus UEFI bootkit was leaked on\r\nGitHub by the user 'Yukari.' making the tool widely available to anyone.\r\nYukari says that the source code has been modified to remove the Baton Drop vulnerability and instead uses the bootlicker\r\nUEFI rootkit, which is based on the CosmicStrand, MoonBounce, and ESPECTRE UEFI APT rootkits.\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/\r\nPage 3 of 5\n\nLeaked BlackLotus source code on GitHub\r\nSource: BleepingComputer\r\n\"The leaked source code isn't complete and contains mainly the rootkit part and bootkit code to bypass Secure Boot,\" stated\r\nBinarly's co-founder and CEO Alex Matrosov.\r\nMatrosov explains that the bootkit's techniques are no longer new, but the source code leak makes it trivial for threat actors\r\nto combine the bootkit with new bootloader vulnerabilities, either known or unknown.\r\n\"Most of these tricks and techniques are previously known for years and don't present significant impact,\" Matrosov told\r\nBleepingComputer in a conversation about the leak.\r\n\"However, the fact that it's possible to combine them with new exploits like the BlackLotus campaign did was something\r\nunexpected to the industry and shows the real limitations of the current mitigations below the operating system.\"\r\nIt is important to stress that even though Microsoft addressed the Secure Boot bypasses in CVE-2022-21894 and CVE-2023-\r\n24932, the security update is optional, and the fixes are disabled by default.\r\nTo secure systems against the BlackLotus UEFI bootkit threat, make sure to follow the comprehensive mitigation advice that\r\nNSA published last month.\r\nWith the bootkit's source code now widely available, it is also possible that competent malware authors might create more\r\npotent variants that can bypass existing and future countermeasures.\r\nMatrosov told BleepingComputer that this particular attack vector has significant benefits for attackers and will only get\r\nmore sophisticated and complex.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/\r\nPage 4 of 5\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/" ], "report_names": [ "source-code-for-blacklotus-windows-uefi-malware-leaked-on-github" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434090, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21e5722ac0438b8022ac285b3652e09cf85bb4a1.pdf", "text": "https://archive.orkl.eu/21e5722ac0438b8022ac285b3652e09cf85bb4a1.txt", "img": "https://archive.orkl.eu/21e5722ac0438b8022ac285b3652e09cf85bb4a1.jpg" } }