{ "id": "c09537d3-7607-47c7-918a-85d7cd5675c9", "created_at": "2026-04-06T00:14:58.129961Z", "updated_at": "2026-04-10T03:37:50.439073Z", "deleted_at": null, "sha1_hash": "df19aef07e6147e1244bee150caa4f8b90c8fd20", "title": "APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1519582, "plain_text": "APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild\r\nBy Ionut Ilascu\r\nPublished: 2018-09-27 · Archived: 2026-04-02 12:42:06 UTC\r\nSecurity researchers tracking the operations of a cyber-espionage group found the first evidence of a rootkit for the Unified\r\nExtensible Firmware Interface (UEFI) being used in the wild.\r\nThe threat actor, known in the infosec community by the names Sednit, Fancy Bear, APT28, Strontium, and Sofacy, was\r\nable to write a malicious component into a machine's UEFI firmware.\r\nAccording to ESET, the threat actor embedded the rootkit in the SPI flash module of a target computer, which gives\r\npersistence not only against reinstallation of the operating system but also when the hard drive is replaced.\r\nhttps://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were\r\ndiscovered earlier this year. That hijacking operation of the legitimate software was also the work of ATP28.\r\n\"On systems that were targeted by the LoJax campaign, we found various tools that are able to access and patch UEFI/BIOS\r\nsettings,\" ESET says in a report shared with BleepingComputer.\r\nSigned driver opens access to firmware\r\nSecurity researchers explain that they found three different types of tools on a victim's computer. Two of them are\r\nresponsible for gathering details about the system firmware and for creating a copy of the system firmware by reading the\r\nSPI flash memory module, where the UEFI firmware is located.\r\nThe third one injects the malicious module and writes the compromised firmware back to the SPI flash memory, creating\r\npersistence for the malware.\r\nTo reach the UEFI/BIOS settings, all tools use the kernel driver of the RWEverything tool that allows modification of the\r\nsettings in the firmware of almost any hardware. The driver is signed with a valid certificate.\r\n\"This patching tool uses different techniques either to abuse misconfigured platforms or to bypass platform SPI flash\r\nmemory write protections,\" ESET says.\r\nIf write operations are denied, the malicious tool exploits a four-year-old race condition vulnerability in UEFI (CVE-2014-\r\n8273) to bypass the defenses.\r\nhttps://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/\r\nPage 3 of 5\n\nThe purpose of the rootkit is just to drop malware into the Windows operating system and make sure that it executes at\r\nstartup.\r\nDefending against LoJax UEFI rootkit\r\nProtecting against LoJax infection is possible by enabling the Secure Boot mechanism, which checks that every component\r\nloaded by the system firmware is signed with a valid certificate.\r\nSince LoJax rootkit is not signed, Secure Boot can prevent it from dropping the malware in the first place.\r\nAnother way to protect against Sednit's rootkit is to make sure the motherboard has the latest firmware version from the\r\nmanufacturer. The patching tool can do its job only if the protections for the SPI flash module are vulnerable or\r\nmisconfigured. An updated firmware should render fruitless the malicious update operation.\r\nReflashing the firmware, however, is a task most users are unfamiliar with. It is a manual operation that typically involves\r\ndownloading the latest firmware version from the motherboard manufacturer, saving it on an external storage device,\r\nbooting into the UEFI menu and installing it.\r\nAn alternative is to replace the motherboard with a newer generation since LoJax affects older chipsets. This requires some\r\ntechnical knowledge, to ensure hardware compatibility, and most users find it easier to replace the entire station.\r\nLoJax is a rare threat, designed for high-value targets. ESET presented their discovery today at the Microsoft BlueHat\r\nsecurity conference. A detailed analysis of LoJax UEFI rootkit is available here.\r\nhttps://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/\r\nhttps://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/" ], "report_names": [ "apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df19aef07e6147e1244bee150caa4f8b90c8fd20.pdf", "text": "https://archive.orkl.eu/df19aef07e6147e1244bee150caa4f8b90c8fd20.txt", "img": "https://archive.orkl.eu/df19aef07e6147e1244bee150caa4f8b90c8fd20.jpg" } }