{
	"id": "922b628d-89a1-4f62-9b2d-4881285c82e7",
	"created_at": "2026-04-06T01:31:50.378848Z",
	"updated_at": "2026-04-10T03:37:50.511667Z",
	"deleted_at": null,
	"sha1_hash": "de20b2381acd3bda3608e7467467911022bb9e8b",
	"title": "LoJack for computers used to attack European government bodies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 830358,
	"plain_text": "LoJack for computers used to attack European government bodies\r\nBy Malwarebytes Labs\r\nPublished: 2018-10-03 · Archived: 2026-04-06 00:55:56 UTC\r\nSecurity researchers have detected the first known instance of a UEFI bootkit being used in targeted campaigns\r\nagainst government entities across Central and Eastern Europe. The attack focuses on UFEI-enabled computers\r\nand relies on a persistence mechanism that has been stolen from a legitimate, but often questioned, software called\r\nComputrace that comes by default on many computer systems.\r\nThis Computrace agent from Absolute Software is a service designed to recover lost or stolen computers, the\r\nunderlying technology of which is based on the LoJack Stolen Vehicle Recovery System. In 2005, Absolute\r\nSoftware licensed the LoJack name and subsequent tracking technology to aid in recovery efforts of stolen\r\ncomputers. After negotiations with manufacturers, the Computrace agent from Absolute Software—or LoJack for\r\ncomputers—now comes pre-loaded on a large number of machines.\r\nThe Computrace software uses a novel method to maintain persistence on computers. This methodology allows\r\nthe code to remain through a re-installation of the operating system or replacement of the hard drive. The software\r\ndoes this by tightly integrating into low-level operations that are stored within SPI flash memory modules located\r\non the physical motherboard of the computer. These memory modules are where pertinent system resources, such\r\nas BIOS and UFEI procedures, are stored.\r\nAn Eset white paper details how Trojanized versions of the Computrace agent have been compromised to allow\r\nattackers the ability to execute arbitrary code on vulnerable machines. This code can be stored within the SPI flash\r\nmodules, which prevents easy detection from many security solutions. This code execution ability, along with the\r\nhttps://blog.malwarebytes.com/cybercrime/hacking/2018/10/lojack-for-computers-used-to-attack-european-government/\r\nPage 1 of 2\n\npersistence and tracking capabilities of the Computrace software, makes for an extremely effective combination\r\nthat is difficult to detect or remediate. Eset is calling this threat the LoJax malware.\r\nAs of this writing, use of this particular attack methodology appears to be limited in scope. Research indicates that\r\nthe purpose of this novel attack vector has been to install the XAgent Remote Access Trojan, which others in the\r\nsecurity industry have linked to the Russian hacking group that goes by many names including: APT28, Fancy\r\nBear, and Sednit.\r\nThe successful execution of the malware payload is dependent upon a computer system that has been configured\r\nto disable the Secure Boot protections that come standard on newer Windows computers.\r\nSecure Boot is a security feature of UFEI-enabled computers, and it requires a legitimate digital signature before\r\nthe system is allowed to execute any code stored within the SPI flash memory module. This is a current limitation\r\nof the LoJax malware, as the code does not have a digital signature. This prevents code execution in environments\r\nwhere Secure Boot is enabled, such as Windows 8 and Windows 10.\r\nUsers of Linux or other unsupported operating systems will not have the built-in protections of Secure Boot due to\r\nincompatibility with those devices. Users who must disable such protections in order to use necessary or desired\r\nsoftware will need to remain diligent.\r\nThough currently limited in scope, we anticipate seeing this attack vector employed by other malware families and\r\nattackers in the future.\r\nSource: https://blog.malwarebytes.com/cybercrime/hacking/2018/10/lojack-for-computers-used-to-attack-european-government/\r\nhttps://blog.malwarebytes.com/cybercrime/hacking/2018/10/lojack-for-computers-used-to-attack-european-government/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/hacking/2018/10/lojack-for-computers-used-to-attack-european-government/"
	],
	"report_names": [
		"lojack-for-computers-used-to-attack-european-government"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439110,
	"ts_updated_at": 1775792270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de20b2381acd3bda3608e7467467911022bb9e8b.pdf",
		"text": "https://archive.orkl.eu/de20b2381acd3bda3608e7467467911022bb9e8b.txt",
		"img": "https://archive.orkl.eu/de20b2381acd3bda3608e7467467911022bb9e8b.jpg"
	}
}