{
	"id": "b7f8eff4-28ec-47ef-a7a4-2e6a3135fe48",
	"created_at": "2026-04-10T03:21:48.175096Z",
	"updated_at": "2026-04-10T13:11:48.336247Z",
	"deleted_at": null,
	"sha1_hash": "2a1803be982ff7a6b0ad893e6d52896df2908099",
	"title": "Diving Into Glupteba's UEFI Bootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1604303,
	"plain_text": "Diving Into Glupteba's UEFI Bootkit\r\nBy Lior Rochberger, Dan Yashnik\r\nPublished: 2024-02-12 · Archived: 2026-04-10 03:14:01 UTC\r\nExecutive Summary\r\nGlupteba is advanced, modular and multipurpose malware that, for over a decade, has mostly been seen in\r\nfinancially driven cybercrime operations. This article describes the infection chain of a new campaign that took\r\nplace around November 2023.\r\nDespite being active for over a decade, certain capabilities that Glupteba’s authors have added have remained\r\nundiscovered or unreported – until now. We will focus on one intriguing and previously undocumented feature: a\r\nUnified Extensible Firmware Interface (UEFI) bootkit. This bootkit can intervene and control the OS boot\r\nprocess, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to detect\r\nand remove.\r\nWhile this threat began as a simple backdoor, it transformed into a potent botnet, emerging as a major player in the\r\nrealm of cyberthreats. Since its discovery in the early 2010s, Glupteba has evolved significantly and undergone a\r\nseries of stealthy metamorphoses. This threat is particularly known for its elaborate infection chains that showcase\r\nits operators’ continuous developments and their attempts to evade traditional security measures.\r\nFigure 1. Glupteba infection chain, as shown by Cortex XDR and XSIAM (set to detect-only mode\r\nfor testing purposes).\r\nPalo Alto Networks customers are better protected from malware discussed in this article through products like\r\nCortex XDR, our Next-Generation Firewall with Cloud-Delivered Security Services that include Advanced\r\nWildFire, Advanced Threat Prevention and Advanced URL Filtering. Additionally, Prisma Cloud Cortex XDR\r\nCloud Agents or Prisma Cloud Defender Agents monitor for instances of known Glupteba malware. DNS Security\r\ncan block malicious domains.\r\nSpecifically for UEFI bootkits such as Glupteba’s, the UEFI Protection module released as part of Cortex Agent\r\n8.3 provides detection and prevention capabilities.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 1 of 16\n\nRelated Unit 42 Topics Botnet\r\nA note on acronyms: this article uses multiple acronyms. We’ve listed out terms that are either used together in\r\nsequence or may be unfamiliar to analysts of different backgrounds.\r\nAcronym Term\r\nDSE Driver signature enforcement\r\nESP EFI system partition \r\nPPI Pay-per-install \r\nSPI Serial Peripheral Interface\r\nUEFI Unified Extensible Firmware Interface\r\nUPGDSED Universal PatchGuard and Driver Signature Enforcement Disable\r\nGlupteba Overview\r\nGlupteba is built to be modular, which allows it to download and execute additional components or payloads. This\r\nmodular design makes Glupteba adaptable to different attack scenarios and environments, and it also allows its\r\noperators to adapt to different security solutions.\r\nOver the years, malware authors have introduced new modules, allowing the threat to perform a variety of tasks\r\nincluding the following:\r\nDelivering additional payloads\r\nStealing credentials from various software\r\nStealing sensitive information, including credit card data\r\nEnrolling the infected system in a cryptomining botnet\r\nCrypto hijacking and delivering miners\r\nPerforming digital advertising fraud\r\nStealing Google account information\r\nBypassing UAC and having both rootkit and bootkit components\r\nExploiting routers to gain credentials and remote administrative access\r\nIn recent campaigns, threat actors mainly distributed Glupteba through pay-per-install (PPI) services, which\r\nallowed the operators of this malware to mass-infect machines all over the world.\r\nAbout Glupteba’s PPI Ecosystem\r\nThe PPI ecosystem is a significant and profitable component of the cybercrime landscape. This model, which\r\ninitially emerged as a means to distribute advertisements, evolved over the years toward a more nefarious purpose:\r\nthe dissemination of spyware and malware.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 2 of 16\n\nThis model facilitates widespread distribution of malicious software, as financially incentivized PPI service\r\nproviders play a crucial role in disseminating malware. This includes threats ranging from advanced downloaders\r\nlike PrivateLoader and SmokeLoader to versatile threats like Glupteba, RedLine Stealer, coin miners and even\r\nransomware.\r\nPPI service providers use different platforms to recruit affiliates and sell services. One of the most popular PPI\r\nservices that spreads PrivateLoader is called Ruzki. Ruzki is operated by the user les0k on Russian hacking\r\nforums. Figure 2 shows an account overview of les0k on the Russian hacking forum WWH, also known as\r\nWWHClub.\r\nFigure 2. Overview of les0k, “king of installs,” as shown in the Russian hacking forum WWHClub.\r\nTo attract malware operators, PPI services sometimes post promotions and offer discounts. Pricing is based on the\r\nnumber of installations requested, and in most cases pricing is also based on region.\r\nFigure 3 shows an example where a PPI service provider is requesting $70 USD for 1,000 installations worldwide,\r\nexcluding Europe and the U.S. One thousand installations in Europe costs $500, and the same number of\r\ninstallations in the U.S. will cost the operator $1,200.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 3 of 16\n\nFigure 3. Price model for PPI service, as shown in a Telegram message uploaded to WWHClub.\r\n2023 Campaign\r\nSince December 2022, Glupteba has sprung back into action, infecting devices worldwide after its operation was\r\ndisrupted by Google in December 2021. The activity continued into 2023, when the Glupteba botnet reemerged in\r\na new, ongoing and widespread campaign affecting multiple regions and industries. Organizations hit by this\r\ncampaign were based in countries including Greece, Nepal, Bangladesh, Brazil, Korea, Algeria, Ukraine,\r\nSlovakia, Turkey, Italy and Sweden.\r\nSimilar to other recent campaigns, threat actors often spread Glupteba through web-based distribution and large-scale phishing attacks using bundled software installation files and cracks, as shown in Figure 4. This strategy has\r\nled to multiple malware infections.\r\nFigure 4. Icons for malicious installer files spreading Glupteba in 2023.\r\nThe campaign has multiple stages, as shown in Figure 5. The first stage of an attack lures a user into downloading\r\nmalicious ZIP files of fake installation files impersonating different software. Once the user downloads the ZIP\r\nfile and attempts to install the software, the infection chain begins.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 4 of 16\n\nFigure 5. Malware infection graph for a 2023 campaign that includes Glupteba.\r\nThreat actors often distribute Glupteba as part of a complex infection chain spreading several malware families at\r\nthe same time. This infection chain often starts with a PrivateLoader or SmokeLoader infection that loads other\r\nmalware families, then loads Glupteba.\r\nFor example, Figure 5 above shows a 2023 infection chain that starts with PrivateLoader, which led to\r\nSmokeLoader, which then led to a variety of other malware including two Glupteba samples.\r\nThe infection chain shown in Figure 5 is one of many similar chains we discovered in 2023. Our analysis of these\r\nrecent campaigns revealed Glupteba’s use of an undocumented UEFI bootkit.\r\nExploring Glupteba's Undocumented UEFI Bootkit\r\nBefore discussing Glupteba’s implementation of the UEFI bootkit, first is a short introduction to UEFI bootkits\r\nand their complexity.\r\nUEFI Bootkit Introduction\r\nUEFI is a specification that defines the architecture of the platform firmware used for booting the computer\r\nhardware and its interface for interaction with the operating system.\r\nFigure 6 reveals the different stages of the boot process in a UEFI system.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 5 of 16\n\nFigure 6. The UEFI boot process. Source: Brian Richardson on GitHub.\r\nIn the stages before boot device selection in Figure 6, the system’s firmware is loaded from a Serial Peripheral\r\nInterface (SPI) flash memory. Then the EFI system partition (ESP), located in the boot device and containing the\r\nWindows Boot Manager, is loaded as the host boots into Windows.\r\nA malware implant in the ESP is enough to execute code before Windows starts, where it can easily disrupt\r\nvarious security mechanisms. Another possibility is an implant in the SPI flash memory that executes code at\r\nearlier stages of the boot process, enabling even greater power and flexibility. However, malware using a firmware\r\nimplant in flash memory requires higher privileges than using an ESP implant. This is more complex.\r\nAs of 2023, only a handful of UEFI bootkits have been publicly reported in the wild, such as LoJax (a firmware\r\nimplant) and BlackLotus (an ESP implant).\r\nUncovering Glupteba’s Bootkit Installer\r\nWe start our analysis with a bootkit installer binary disguised as a legitimate Windows binary (csrss.exe). When\r\nanalyzing this installer, a clear lack of strings and functions indicates the file is packed in some way. This means\r\nwe have some work to do before we can analyze the actual logic of the installer.\r\nAfter examining the installer with a dissembler, the main function appears to eventually jump into an address\r\nstored in dword_2FA3A2C as shown below in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 6 of 16\n\nFigure 7. The WinMain function in csrss.exe.\r\nAnother function, dword_2FA3A2C, is assigned newly allocated heap memory and then set with\r\nPAGE_EXECUTE_READWRITE permissions (see Figure 8). Finally, this heap memory is filled with some data,\r\nwhich is at least partially executable.\r\nFigure 8. Initialization of RWX heap memory in csrss.exe.\r\nFurther unpacking takes place after jumping to this code, eventually allocating another RWX memory and\r\njumping to it, as shown in Figure 9.\r\nFigure 9. Allocation of a second RWX memory in csrss.exe.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 7 of 16\n\nThis memory area contains unpacked resources, including the PE file with the main installer logic. All other\r\nresources that are not related to the UEFI bootkit are out of scope here.\r\nThe installer has a function main_writeEfiGuard that writes files in the ESP as seen in Figure 10.\r\nFigure 10. The installer writes files in the ESP in the main_writeEfiGuard function.\r\nSummary of the operation of this function:\r\n1. The main_mountEFI function mounts the ESP into the B: drive\r\n2. B:\\EFI\\Microsoft\\Boot\\bootmgfw.efi is renamed to B:\\EFI\\Microsoft\\Boot\\fw.efi\r\n3. B:\\EFI\\Boot\\bootx64.efi is renamed to B:\\EFI\\Boot\\old.efi\r\n4. The asset embedded\\bootmgfw.efi is written to B:\\EFI\\Microsoft\\Boot\\bootmgfw.efi and to\r\nB:\\EFI\\Boot\\bootx64.efi\r\n5. The asset embedded \\EfiGuardDxe.efi is written to B:\\EFI\\Boot\\EfiGuardDxe.efi\r\nThese actions can be viewed as Cortex XDR events – see Figure 11.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 8 of 16\n\nFigure 11. Cortex XDR events of file writes into the ESP.\r\nThe name of the function (main_writeEfiGuard) and the name of one of the dropped files (EfiGuardDxe.efi)\r\nimmediately point us in the direction of EfiGuard.\r\nEfiGuard\r\nEfiGuard is an open-source and portable UEFI bootkit that patches the Windows kernel by executing a UEFI\r\ndriver (EfiGuardDxe.efi) to disable PatchGuard and driver signature enforcement (DSE). Figure 12 depicts the\r\narchitecture of EfiGuard.\r\nFigure 12. EfiGuard architecture. Source: Mattiwatti on GitHub.\r\nAs documented in the GitHub project, EfiGuardDxe.efi can be executed either by installing it in a UEFI driver\r\nentry or booting a custom loader (Loader.efi) that loads the driver and then continues to load Windows. Glupteba\r\nuses the latter method.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 9 of 16\n\nIn either case, the driver hooks the EFI Boot Service LoadImage function, which intercepts the loading of the\r\nWindows Boot Manager (bootmgfw.efi), starting a chain of patches that eventually patch the kernel (ntoskrnl.exe)\r\nas depicted in Figure 13.\r\nFigure 13. EfiGuard’s chain of patches.\r\nThe project supports two methods for disabling DSE. The first occurs at boot time, immediately after disabling\r\nPatchGuard. The second involves leaving a UEFI backdoor through a hook on the EFI Runtime Service\r\nSetVariable that allows user-mode code to read and write arbitrary kernel-space memory. The backdoor is\r\ncomplemented with a user-mode program (EfiDSEFix.exe) that utilizes the kernel read/write backdoor to patch\r\nDSE.\r\nEfiGuard in Glupteba\r\nUsing Bindiff for a similarity analysis of the two files Glupteba writes in the ESP quickly indicates they are a\r\nrecompilation of the EfiGuardDxe.efi and Loader.efi components in EfiGuard, as shown below in Figures 14 and\r\n15. Some code, such as logs, was removed from EfiGuard.\r\nFigure 14. BinDiff of 01e86a4dfe6e0de7857b3cf2fafd041c[...] and EfiGuardDxe.efi v1.1.1.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 10 of 16\n\nFigure 15. BinDiff of 9fdb7c1359f3f2f7279f1df4bde648c0[...] and Loader.efi v1.1.1 (matched\r\nfunctions).\r\nGlupteba replaces the Windows Boot Manager (bootmgfw.efi) with Loader.efi. The Loader.efi file loads the\r\nEfiGuardDxe.efi driver and then continues to load Windows.\r\nIt appears the threat author has manually modified and recompiled the driver code to use the boot time method to\r\ndisable PatchGuard and DSE, as shown in Figure 16 below. Note that the driver configuration for the bypass\r\nmethod, stored in gDriverConfig, is set to DSE_DISABLE_AT_BOOT – see Figure 17. However, the author\r\nactually removed the code paths that check this configuration in our sample.\r\nFigure 16. Modified PatchNtoskrnl function in 01e86a4dfe6e0de7857b3cf2fafd041c[...].\r\nFigure 17. Driver configuration in 01e86a4dfe6e0de7857b3cf2fafd041c[...].\r\nSummary of DSE Bypasses in Glupteba\r\nAs documented in a previous analysis by Sophos, Glupteba formerly used Windows kernel drivers to hide itself.\r\nTo successfully load these drivers, Glupteba used DSEFix or Universal PatchGuard and Driver Signature\r\nEnforcement Disable (UPGDSED).\r\nDSEFix drops a known vulnerable driver and exploits it to disable DSE in kernel memory. UPGDSED runs in\r\nuser-mode and patches the Windows kernel and Windows Boot Loader binaries for the same purpose.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 11 of 16\n\nOur current samples reveal that Glupteba has added EfiGuard to its arsenal of tools that are capable of disabling\r\nDSE.\r\nIn the installer, the function main_installDriver calls the previous function we analyzed (main_writeEfiGuard),\r\nwhich writes the files in the ESP. We give a high-level overview of the logic in this function in Figure 18 below,\r\nby grouping its nodes in IDA.\r\nFigure 18. High-level grouping of the nodes in the main_installDriver function.\r\nAs revealed in Figure 18, any one of the three DSE bypasses we have mentioned (DSEFix, UPGDSED or\r\nEfiGuard) might be used, depending on the architecture, OS version and configuration. Unlike the BlackLotus\r\nESP implant, we have not seen any evidence for Glupteba bypassing Secure Boot.\r\nConclusion\r\nIn the ever-evolving threat landscape, Glupteba malware continues to stand out as a notable example of the\r\ncomplexity and adaptability exhibited by modern cybercriminals.\r\nThe identification of an undocumented UEFI bypass technique within Glupteba underscores this malware's\r\ncapacity for innovation and evasion. This novel method not only poses a significant challenge for detection but\r\nalso highlights the pressing need for cybersecurity professionals to continually enhance their defenses and stay\r\nahead of emerging threats.\r\nFurthermore, with its role in distributing Glupteba, the PPI ecosystem highlights the collaboration and\r\nmonetization strategies employed by cybercriminals in their attempts at mass infections. This model indicates that\r\nthreat actors leverage underground economies to proliferate malware, and it emphasizes the importance of holistic\r\ncybersecurity strategies and multilayer security solutions that extend beyond traditional defenses.\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 12 of 16\n\nProtections and Mitigations\r\nCortex XDR and XSIAM raised many alerts for the malicious activities observed in the 2023 campaign\r\ndistributing Glupteba and other malware. Prevention and detection alerts revealed the different stages and different\r\nmalware involved.\r\nSmartScore, our unique ML-driven scoring engine that translates security investigation methods and their\r\nassociated data into a hybrid scoring system, scored this incident an 86 out of 100, as shown below in Figure 19.\r\nThis type of scoring helps analysts determine which incidents are more urgent and provides context about the\r\nreason for the assessment, assisting with prioritization.\r\nFigure 19. SmartScore information about the incident.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the IoCs shared in this research.\r\nNext-Generation Firewall with Cloud-Delivered Security Services including Advanced URL Filtering,\r\nAdvanced Threat Prevention and DNS Security identify domains associated with this group as malicious.\r\nPrisma Cloud: Any cloud infrastructure running Windows virtual machines should monitor their Windows-based VMs using Cortex XDR Cloud Agents or Prisma Cloud Defender Agents. Both agents will monitor\r\nthe Windows VM instances for known Glupteba malware, using signatures pulled from Palo Alto Networks\r\nWildfire.\r\nCortex XDR\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 13 of 16\n\nPrevents the execution of known malicious malware, and also prevents the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nProtects against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nProtects from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4.\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nCortex XDR Pro detects post-exploit activity, including credential-based attacks, with behavioral\r\nanalytics.\r\nThe UEFI Protection module detects and prevents advanced threats that target UEFI. In the case of\r\nGlupteba, Figure 20 shows the module blocking the malicious modifications made to the ESP.\r\nFigure 20. Glupteba’s UEFI bypass prevention, as shown in Cortex XDR and XSIAM.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 14 of 16\n\nGlupteba Binaries From the 2023 Campaign\r\ncfc7111da7b09e7a93b93ce690f2a4d922cc1009fea8368300f06c6fa4f85472\r\n17e4590eceb4fec1e08c29b206d424172753d8472395f37d0647249ceff25817\r\n61ab0e1ddaae4704999c4781deea56e1df5b05489bf4c0b892c47b36a63de9f4\r\nb6604ae49298c59e148b1e741ef8821ffd60c775bfb9c3234783452c54cd3069\r\n8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205\r\ne4a2b53965b9d203d13dd4b5962b9f07270bb87e5738f44cf1126ce36019427d\r\nc353fb081ae8e121c4dcea3ad1bc4061315728a6f0d0ac63885a4f074be5fef3\r\ndf75b62e373e0b91f26384b21aaa8e4dc86c13078cec7e32ad595d0c86d3fedb\r\n5851e0b4a79208b995ab5a7e1f5247c159aac31c7c166a4bef77be14af64c1e8\r\n6263a6ceb172eed7bae158d8066f70cabc42b352129547e1b5ad0c1096319d30\r\n9c44bf6c3538c93c95342f5c365de46b6494a5a5764870048df7478a9d0f8723\r\nb84adf0716facf50418f5f228cf095e5157b6be3f04a98f26ce833057e804a4f\r\na000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e\r\nc867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee\r\n8a62d01c1f321c4adb8428771af3eae1c83fec8a0e0a047b0bc17a51d19c7c96\r\n2023 Campaign ZIP Files\r\ncb347e06d97fde4c7f8dd77be59b8f57d47f6e3f998d708d21a5963bc1620835\r\n46eb8b98738df13a3a8c923228ca82006c7d403c7a1aac2d6bc752023b432915\r\naa3257efb3182a98f73ad413b34f68067f42c3c51b68d15abea5db01173afad8\r\n75bb73decf9fd21643b834a0b3e21e8e0d33910e51efbe56a2162f1180d04802\r\n18c6e5a916eea979ea52495309e4e643232832bea614688df4cec0e3123b09d0\r\nfdd2fbe16f96f6d2b027347fd35c2e105a483a55b43f094754c2b3374ffb051a\r\n9691b5846e230e0ea87b3f8a7a6dc31daae701ca0bb83e6c7df0f683bdea01e6\r\n9c6af24c519d02203bfbdf568f7beb144996af9676b290a96a728ba9314b1c66\r\nbb809863b3145ceef7fc12ae5bca3940f18c4a24f5b4652e7b4cea6847762887\r\n3a1cffaaa68dc4b5f0f94a1ec14b008444074a3faefa4beba20c857a21539bc1\r\nd0d58229650ff9bf3bbf8edb55c7058a2f243e900473e0ff8849c517c2f165bd\r\nc4f45bdfecb3d8cb4dcfdc8f323cf5d15321d161ac92802aa1e77dfa94fd91ed\r\n84575070117b8896bafbd6f5dc364db09bea8e742f4af84884d15cab5e811060\r\nEfiGuard Binaries Used by Glupteba\r\n9fdb7c1359f3f2f7279f1df4bde648c080231ed21a22906e908ef3f91f0d00ee\r\n01e86a4dfe6e0de7857b3cf2fafd041c8b3a3241e00844cb6bfbd3bfae2d36bc\r\n2023 Campaign Infrastructure\r\nweareelight[.]com\r\nonualituyrs[.]org\r\nsnukerukeutit[.]org\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 15 of 16\n\nstualialuyastrelia[.]net\r\nsumagulituyo[.]org\r\ncriogetikfenbut[.]org\r\ndpav[.]cc\r\nhumydrole[.]com\r\nkggcp[.]com\r\nkumbuyartyty[.]net\r\nlightseinsteniki[.]org\r\nliuliuoumumy[.]org\r\nLocation of Program Database (PDB) File From Glupteba in 2023\r\nC:\\juro\\yologakib\\rihahoy71\\waxotobub.pdb\r\nAdditional Resources\r\nGlupteba malware is back in action after Google disruption – Bleeping Computer\r\nDisrupting the Glupteba operation – Updates from Threat Analysis Group (TAG), Google\r\nGlupteba Expands Operation and Toolkit with LOLBins And Cryptominer – Malicious Life, Cybereason\r\nDecember 2022’s Most Wanted Malware: Glupteba Entering Top Ten and Qbot in First Place - Check Point\r\nBlog – Check Point Blog\r\nFirst UEFI rootkit found in the wild, courtesy of the Sednit group – ESET, LoJax white paper\r\nBlackLotus UEFI bootkit: Myth confirmed – We Live Security, ESET\r\nGlupteba malware hides in plain sight – Sophos News\r\nDSEFix: Windows x64 Driver Signature Enforcement Overrider – hfiref0x on GitHub\r\nUPGDSED: Universal PatchGuard and Driver Signature Enforcement Disable – hfiref0x on GitHub\r\nEfiGuard: Disable PatchGuard and Driver Signature Enforcement at boot time – Mattiwatti on GitHub\r\nPrivateLoader: the loader of the prevalent ruzki PPI service – Sekoia Blog\r\nPrivateLoader: The first step in many malware scheme – Intel 471\r\nSource: https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nhttps://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/"
	],
	"report_names": [
		"glupteba-malware-uefi-bootkit"
	],
	"threat_actors": [],
	"ts_created_at": 1775791308,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a1803be982ff7a6b0ad893e6d52896df2908099.pdf",
		"text": "https://archive.orkl.eu/2a1803be982ff7a6b0ad893e6d52896df2908099.txt",
		"img": "https://archive.orkl.eu/2a1803be982ff7a6b0ad893e6d52896df2908099.jpg"
	}
}