{ "id": "93ad2cc3-3301-4f16-8c14-a6210189e8a4", "created_at": "2026-04-06T00:22:04.735454Z", "updated_at": "2026-04-10T03:37:50.396725Z", "deleted_at": null, "sha1_hash": "9a48eb6cd28886f757ed818c19e444ae422b9f50", "title": "LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 336333, "plain_text": "LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit\r\ngroup\r\nBy ESET Research\r\nArchived: 2026-04-05 16:51:34 UTC\r\nUpdate, 9 October 2018: The remediation section of the white paper contained inaccurate information. Secure\r\nBoot doesn't protect against the UEFI rootkit described in this research. We advise that you keep your UEFI\r\nfirmware up-to-date and, if possible, have a processor with a hardware root of trust as is the case with Intel\r\nprocessors supporting Intel Boot Guard (from the Haswell family of Intel processors onwards).\r\nUEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to\r\ndetect and able to survive security measures such as operating system reinstallation and even a hard disk\r\nreplacement. Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal\r\nof (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we\r\ndiscovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a\r\nvictim’s system.\r\nThe discovery of the first in-the-wild UEFI rootkit is notable for two reasons.\r\nFirst, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.\r\nAnd second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT\r\ngroup, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than\r\npreviously thought.\r\nOur analysis of the Sednit campaign that uses the UEFI rootkit was presented September 27 at the 2018 Microsoft\r\nBlueHat conference and is described in detail in our “LoJax: First UEFI rootkit found in the wild, courtesy of the\r\nSednit group” white paper. In this blog post, we summarize our main findings.\r\nThe Sednit group has been operating since at least 2004, and has made headlines frequently in past years: it is\r\nbelieved to be behind major, high profile attacks. For instance, the US Department of Justice named the group as\r\nbeing responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. The\r\ngroup is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping\r\nAgency (WADA) email leak, and many others. This group has a diversified set of malware tools in its arsenal,\r\nseveral examples of which we have documented previously in our Sednit white paper from 2016.\r\nOur investigation has determined that this malicious actor was successful at least once in writing a malicious\r\nUEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during\r\nthe boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but\r\nalso a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not\r\ncommonly done and certainly not by the typical computer owner.\r\nhttps://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/\r\nPage 1 of 5\n\nOur research has shown that the Sednit operators used different components of the LoJax malware to target a few\r\ngovernment organizations in the Balkans as well as in Central and Eastern Europe.\r\nLoJack becomes LoJax\r\nIn May 2018, an Arbor Networks blog post described several trojanized samples of Absolute Software’s LoJack\r\nsmall agent, rpcnetp.exe. These malicious samples communicated with a malicious C\u0026C server instead of the\r\nlegitimate Absolute Software server, because their hardcoded configuration settings had been altered. Some of the\r\ndomains found in LoJax samples have been seen before: they were used in late 2017 as C\u0026C domains for the\r\nnotorious Sednit first-stage backdoor, SedUploader. Because of this campaign's malicious usage of the LoJack\r\nsmall agent, we call this malware LoJax.\r\nLoJack is anti-theft software. Earlier versions of this agent were known as Computrace. As its former name\r\nimplies, once the service was activated, the computer would call back to its C\u0026C server and its owner would be\r\nnotified of its location if it had gone missing or been stolen. Computrace attracted attention from the security\r\ncommunity, mostly because of its unusual persistence method. Since this software’s intent is to protect a system\r\nfrom theft, it is important that it resists OS re-installation or hard drive replacement. Thus, it is implemented as a\r\nUEFI/BIOS module, able to survive such events. This solution comes pre-installed in the firmware of a large\r\nnumber of laptops manufactured by various OEMs, waiting to be activated by their owners.\r\nWhile researching LoJax, we found several interesting artifacts that led us to believe that these threat actors might\r\nhave tried to mimic Computrace’s persistence method.\r\nPatching SPI flash memory with malware\r\nOn systems that were targeted by the LoJax campaign, we found various tools that are able to access and patch\r\nUEFI/BIOS settings. All used a kernel driver, RwDrv.sys, to access the UEFI/BIOS settings. This kernel driver is\r\nbundled with RWEverything, a free utility available on the web that can be used to read information on almost all\r\nof a computer’s low-level settings, including PCI Express, Memory, PCI Option ROMs, etc. As this kernel driver\r\nbelongs to legitimate software, it is signed with a valid code-signing certificate.\r\nhttps://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/\r\nPage 2 of 5\n\nThree different types of tool were found alongside LoJax userland agents. The first one is a tool dumping\r\ninformation about low level system settings to a text file. Since bypassing a platform’s protection against\r\nillegitimate firmware updates is highly platform-dependent, gathering information about a system’s platform is\r\ncrucial. The purpose of the second tool is to save an image of the system firmware to a file by reading the contents\r\nof the SPI flash memory where the UEFI/BIOS is located. The third tool's purpose is to add a malicious UEFI\r\nmodule to the firmware image and write it back to the SPI flash memory, effectively installing the UEFI rootkit on\r\nthe system. This patching tool uses different techniques either to abuse misconfigured platforms or to bypass\r\nplatform SPI flash memory write protections. As illustrated in the next figure, if the platform allows write\r\noperations to the SPI flash memory, it will just go ahead and write to it. If not, it actually implements an exploit\r\nagainst a known vulnerability.\r\nhttps://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/\r\nPage 3 of 5\n\nThe UEFI rootkit added to the firmware image has a single role: dropping the userland malware onto the Windows\r\noperating system partition and make sure that it is executed at startup.\r\nHow to protect yourself?\r\nWhile Secure Boot is the first mechanism that comes to mind when we think about preventing UEFI firmware\r\nattacks, it wouldn't have protected against the attack we describe in this research. Despite this, we strongly suggest\r\nyou enable Secure Boot on your systems, through the UEFI setup utility.\r\nSecure Boot is designed to protect against malicious components coming from outside of the SPI flash memory.\r\nTo protect against tampering with the SPI flash memory, the system’s root of trust must be moved to hardware.\r\nSuch technologies exist and Intel Boot Guard is a good example of this. It has been available starting with the\r\nHaswell family of Intel processors introduced in 2013. Had this technology been available and properly\r\nconfigured on the victim's system, the machine would have refused to boot after the compromise.\r\nUpdating system firmware should not be something trivial for a malicious actor to achieve. There are different\r\nprotections provided by the platform to prevent unauthorized writes to system SPI flash memory. The tool\r\ndescribed above is able to update the system’s firmware only if the SPI flash memory protections are vulnerable or\r\nmisconfigured. Thus, you should make sure that you are using the latest UEFI/BIOS available for your\r\nmotherboard. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have\r\nmodern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008).\r\nUnfortunately for the ambitious end user, updating a system’s firmware is not a trivial task. Thus, firmware\r\nsecurity is mostly in the hands of UEFI/BIOS vendors. The security mechanisms provided by the platform need to\r\nbe configured properly by the system firmware in order to actually protect it. Firmware must be built from the\r\nground up with security in mind. Fortunately, more and more security researchers are looking at firmware security,\r\nthus contributing to improving this area and raising awareness among UEFI/BIOS vendors.\r\nhttps://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/\r\nPage 4 of 5\n\nRemediation of a UEFI firmware-based compromise is a hard problem. There are no easy ways to automatically\r\nremove such a threat from a system. In the case we described above: in order to remove the rootkit, the SPI flash\r\nmemory needs to be reflashed with a clean firmware image specific to the motherboard. This is a delicate\r\noperation that must be performed manually. It is definitely not a procedure that most computer owners are familiar\r\nwith. The only alternative to reflashing the UEFI/BIOS is to replace the motherboard of the compromised system\r\noutright.\r\nFor more information about how to protect yourself you can visit our website and find out more about the ESET\r\nUEFI Scanner.\r\nThe links with the Sednit APT group\r\nAs mentioned above, some of the LoJax small agent C\u0026C servers were used in the past by SedUploader, a first-stage backdoor routinely used by Sednit’s operators. Also, in cases of LoJax compromise, traces of other Sednit\r\ntools were never far away. In fact, systems targeted by LoJax usually also showed signs of these three examples of\r\nSednit malware:\r\nSedUploader, a first-stage backdoor\r\nXAgent, Sednit’s flagship backdoor\r\nXtunnel, a network proxy tool that can relay any kind of network traffic between a C\u0026C server on the\r\nInternet and an endpoint computer inside a local network\r\nThese facts allow us to attribute LoJax with high confidence to the Sednit group.\r\nIn conclusion\r\nThrough the years we’ve spent tracking of the Sednit group, we have released many reports on its activities,\r\nranging from zero-day usage to custom malware it has developed, such as Zebrocy. However, the UEFI rootkit\r\ncomponent described above is in a league of its own.\r\nThe LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique\r\nthreats and such targets should always be on the lookout for signs of compromise. Also, one thing that this\r\nresearch taught us is that it is always important to dig as deep as you can go!\r\nA full list of Indicators of Compromise (IOCs) and samples can be found on GitHub.\r\nFor a detailed analysis of the backdoor, head over to our white paper LoJax: First UEFI rootkit found in the wild,\r\ncourtesy of the Sednit group.\r\nSource: https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/\r\nhttps://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/" ], "report_names": [ "lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434924, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a48eb6cd28886f757ed818c19e444ae422b9f50.pdf", "text": "https://archive.orkl.eu/9a48eb6cd28886f757ed818c19e444ae422b9f50.txt", "img": "https://archive.orkl.eu/9a48eb6cd28886f757ed818c19e444ae422b9f50.jpg" } }