惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News | PayPal Newsroom
H
Hackread – Cybersecurity News, Data Breaches, AI and More
雷峰网
雷峰网
NISL@THU
NISL@THU
V
Vulnerabilities – Threatpost
P
Privacy International News Feed
博客园_首页
P
Privacy & Cybersecurity Law Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Cloudflare Blog
Know Your Adversary
Know Your Adversary
小众软件
小众软件
人人都是产品经理
人人都是产品经理
WordPress大学
WordPress大学
博客园 - 聂微东
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tor Project blog
C
Cybersecurity and Infrastructure Security Agency CISA
V
V2EX
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
J
Java Code Geeks
M
MIT News - Artificial intelligence
PCI Perspectives
PCI Perspectives
T
The Blog of Author Tim Ferriss
美团技术团队
Jina AI
Jina AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
LINUX DO - 最新话题
Cloudbric
Cloudbric
Webroot Blog
Webroot Blog
V2EX - 技术
V2EX - 技术
爱范儿
爱范儿
S
Securelist
MyScale Blog
MyScale Blog
B
Blog
AI
AI
L
LINUX DO - 热门话题
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
I
Intezer
有赞技术团队
有赞技术团队
Google Online Security Blog
Google Online Security Blog
云风的 BLOG
云风的 BLOG
H
Help Net Security
D
DataBreaches.Net
K
Kaspersky official blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
酷 壳 – CoolShell
酷 壳 – CoolShell

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack
HybridPetya ransomware dodges UEFI Secure Boot
Jessica Lyons · 2025-09-13 · via The Register - Security: Research

REG AD

Research

HybridPetya: More proof that Secure Boot bypasses are not just an urban legend

Although it hasn't been seen in the wild yet

A new ransomware strain dubbed HybridPetya was able to exploit a patched vulnerability to bypass Unified Extensible Firmware Interface (UEFI) Secure Boot on unrevoked Windows systems, making it the fourth publicly known bootkit capable of punching through the feature and hijacking a PC before the operating system loads.

ESET researchers discovered the ransomware-bootkit combo after samples were uploaded to VirusTotal in February, and named it HybridPetya because of its similarities to the infamous Petya and NotPetya malware strains.

The silver lining: the code seems to be just a proof-of-concept (PoC) at this point, and the threat hunters say they've seen no indications of its use in the wild. Also, it doesn't show the same aggressive network propagation as NotPetya.

REG AD

Still, HybridPetya provides yet another example that Secure Boot bypasses, which were still considered an infosec urban legend until a few years ago, do exist. And both ethical hackers and attackers alike are eager to develop new variants.

REG AD

As Reg readers no doubt remember: back in 2017, malware dubbed NotPetya (because the data-wiping malware masqueraded as 2016's Petya ransomware) exploded across the world, ultimately costing more than $10 billion in damages. 

Both Petya and NotPetya also contained bootkits that overwrote the Master Boot Record (MBR) on infected computers, thus allowing the malware to lock up victims' entire hard drive and prevent the OS from booting.

The new HybridPetya shares its disk-locking behavior with its predecessors and abuses UEFI vulnerability CVE‑2024‑7344, which ESET discovered and disclosed earlier this year and which Microsoft has since revoked in dbx on updated machines.

"HybridPetya is also capable of compromising modern UEFI-based systems by installing a malicious EFI application to the EFI System Partition," ESET malware researcher Martin Smolár wrote in a Friday report. "The deployed UEFI application is then responsible for encryption of the NTFS-related Master File Table (MFT) file – an important metadata file containing information about all the files on the NTFS-formatted partition."

HybridPetya, unlike the data-destroying NotPetya, also functions as ransomware. The algorithm used to generate the victim's personal installation key allows the malware operator to reconstruct the decryption key from the personal installation key – and thus unlock the files – as opposed to just wiping them clean.

How the bootkit works

Similar to the two original Petya/NotPetya variants, upon execution, the UEFI bootkit loads its configuration from the \EFI\Microsoft\Boot\config file, and checks the current encryption status. This status can have one of three values:

  • 0 - ready for encryption
  • 1 - already encrypted, or
  • 2 - ransom paid, disk decrypted

REG AD

If the value is 0, the bootkit rewrites the configuration file with the flag now set to 1 and encrypts the \EFI\Microsoft\Boot\verify file with the Salsa20 encryption algorithm, using the key and 8-byte-long nonce specified in the configuration data.

It also creates the file \EFI\Microsoft\Boot\counter on the EFI System Partition – this file is used to keep track of the already encrypted disk clusters – and begins the disk encryption process, starting with the identification of all NTFS-formatted partitions.

The malware also displays a fake Windows "CHKDSK" message on the victim's screen to indicate the disk is being checked for errors – not being encrypted. This message is identical to those displayed in both NotPetya and Petya.

Meanwhile, if the disk is already encrypted (so the encryption flag value is set to 1), the bootkit proceeds with a ransom note that, like the original NotPetya, begins: "Ooops, your important files are encrypted."

It then instructs the victim to send $1,000 in Bitcoin to a now-empty wallet (34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2) to purchase the decryptor. Once the victim enters the correct key, verified by the bootkit, it then proceeds to decrypt the disk and record the legitimate bootloaders from a backup file created during the installation process. After that's completed, the bootkit prompts the victim to reboot the device, and assuming everything worked, the OS should start up again.

"Although HybridPetya is not actively spreading, its technical capabilities – especially MFT encryption, UEFI system compatibility, and Secure Boot bypass – make it noteworthy for future threat monitoring," Smolár wrote.

The discovery of HybridPetya follows three other real or PoC Secure Boot bypasses. Smolár wrote about the first, BlackLotus, back in 2023 after Kaspersky's lead security researcher Sergey Lozhkin first saw it being sold on cybercrime marketplaces a year earlier.

Last November, ESET also spotted a bootkit targeting Linux systems dubbed Bootkitty after it was uploaded to VirusTotal.

REG AD

ESET also counts the Hyper-V Backdoor PoC, which exploited CVE‑2020‑26200, among the four documented bootkits. ®