{"id":247,"date":"2026-03-20T03:38:01","date_gmt":"2026-03-20T03:38:01","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/20\/petya-notpetya-copycat-with-uefi-secure-boot-bypass\/"},"modified":"2026-03-20T03:38:01","modified_gmt":"2026-03-20T03:38:01","slug":"petya-notpetya-copycat-with-uefi-secure-boot-bypass","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/20\/petya-notpetya-copycat-with-uefi-secure-boot-bypass\/","title":{"rendered":"Petya\/NotPetya copycat with UEFI Secure Boot bypass"},"content":{"rendered":"<div>\n<p>ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya\/NotPetya malware, adding the capability of compromising UEFI-based systems and weaponizing <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-7344\" target=\"_blank\" rel=\"noopener\">CVE\u20112024\u20117344<\/a> to bypass UEFI Secure Boot on outdated systems.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>New ransomware samples, which we named HybridPetya, resembling the infamous Petya\/NotPetya malware, were uploaded to VirusTotal in February 2025.<\/li>\n<li>HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions.<\/li>\n<li>Unlike the original Petya\/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.<\/li>\n<li>One of the analyzed HybridPetya variants exploits CVE\u20112024\u20117344 to bypass UEFI Secure Boot on outdated systems, leveraging a specially crafted <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span> file.<\/li>\n<li>ESET telemetry shows no signs of HybridPetya being used in the wild yet; this malware does not exhibit the aggressive network propagation seen in the original NotPetya.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Overview<\/h2>\n<p>Late in July 2025, we encountered suspicious ransomware samples, uploaded to VirusTotal from Poland, under various filenames, including <span style=\"font-family: courier new, courier, monospace;\">notpetyanew.exe<\/span> and other similar ones, suggesting a connection with the infamously destructive malware that struck Ukraine and many other countries back in 2017. The NotPetya attack is believed to be the most destructive cyberattack in history, <a href=\"https:\/\/www.wired.com\/story\/notpetya-cyberattack-ukraine-russia-code-crashed-the-world\/\" target=\"_blank\" rel=\"noopener\">with more than $10 billion in total damages<\/a>. Despite NotPetya\u2019s similarity to the Petya ransomware, first <a href=\"https:\/\/www.gdatasoftware.com\/blog\/2016\/03\/28226-ransomware-petya-a-technical-review\" target=\"_blank\" rel=\"noopener\">discovered in March 2016<\/a>, NotPetya\u2019s purpose was pure destruction, as encryption key recovery from the victim\u2019s personal installation key was not possible. Because of the shared characteristics of the currently discovered samples with both Petya and NotPetya, we named the new discovery HybridPetya.<\/p>\n<p>While ESET telemetry shows no active use of HybridPetya in the wild, one important detail in these samples still caught our attention \u2013 unlike the original NotPetya (and Petya ransomware as well), HybridPetya is also capable of compromising modern UEFI-based systems by installing a malicious EFI application to the EFI System Partition. The deployed UEFI application is then responsible for encryption of the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/storage\/file-server\/ntfs-overview\" target=\"_blank\" rel=\"noopener\">NTFS<\/a>-related <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/fileio\/master-file-table\" target=\"_blank\" rel=\"noopener\">Master File Table<\/a> (MFT) file \u2013 an important metadata file containing information about all the files on the NTFS-formatted partition.<\/p>\n<p>After a bit more digging, we discovered something even more interesting on VirusTotal: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/796b0ef499e99cef5a5e9df60a4b7aef42f83cfccfa6df14f946121c2ba7283c\/details\" target=\"_blank\" rel=\"noopener\">an archive<\/a> containing the whole EFI System Partition contents, including a very similar HybridPetya UEFI application, but this time bundled in a specially formatted <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span> file, vulnerable to CVE\u20112024\u20117344 \u2013 the UEFI Secure Boot bypass vulnerability \u2013 that our team disclosed in early 2025.<\/p>\n<p>Interestingly, despite the filenames on VirusTotal and the format of the ransom note in the current samples suggesting that they might be related to NotPetya, the algorithm used for the generation of the victim\u2019s personal installation key, unlike in the original NotPetya, allows the malware operator to reconstruct the decryption key from the victim\u2019s personal installation keys. Thus, HybridPetya can serve as regular ransomware (more like Petya), rather than being solely destructive like NotPetya.<\/p>\n<p>Interestingly, on September 9<sup>th<\/sup>, 2025, <a href=\"https:\/\/x.com\/hasherezade\" target=\"_blank\" rel=\"noopener\">@hasherezade<\/a> published a <a href=\"https:\/\/x.com\/hasherezade\/status\/1965389009175412769\" target=\"_blank\" rel=\"noopener\">post<\/a> about the existence of a UEFI Petya PoC, with a video demonstrating execution of the malware with UEFI Secure Boot enabled. Even though the sample from the video is obviously different from the one presented in this blogpost (showing the typical Petya ASCII art skull, which is not present in the samples we discovered), we suspect that there might be some relationship between the two cases, and that HybridPetya might also be just a proof of concept developed by a security researcher or an unknown threat actor.<\/p>\n<p>In this blogpost, we focus on the technical analysis of HybridPetya.<\/p>\n<h2>HybridPetya technical analysis<\/h2>\n<p>In this section, we provide a technical analysis of HybridPetya\u2019s components: the bootkit and its installer. We also separately dissect a version of HybridPetya that is capable of bypassing UEFI Secure Boot by exploiting CVE-2024-7344. Note that HybridPetya supports both legacy and UEFI based systems \u2013 in this blogpost, we\u2019ll focus on the UEFI part.<\/p>\n<p>Interestingly, the code responsible for generating the victims\u2019 personal installation keys seems to be inspired by the <a href=\"https:\/\/github.com\/FirstBlood12\/RedPetyaOpenSSL\" target=\"_blank\" rel=\"noopener\">RedPetyaOpenSSL<\/a> PoC. We are aware of at least one other UEFI-compatible PoC rewrite of NotPetya, dubbed <a href=\"https:\/\/github.com\/rdp-studio\/NotPetyaAgain\" target=\"_blank\" rel=\"noopener\">NotPetyaAgain<\/a>, which is written in <a href=\"https:\/\/www.rust-lang.org\/\" target=\"_blank\" rel=\"noopener\">Rust<\/a>; however, that code is unrelated to HybridPetya.<\/p>\n<h3>UEFI bootkit<a id=\"UEFI bootkit\"\/><\/h3>\n<p>We obtained two distinct versions of the UEFI bootkit component, both very similar but with certain differences. When executed, the bootkit first loads its configuration from the <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\config<\/span> file, and checks the encryption flag indicating the current encryption status \u2013 same as the original Petya\/NotPetya samples, the encryption flag can have one of the following values:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">0 &#8211; <\/span>ready for encryption,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">1 &#8211; <\/span>already encrypted, or<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">2 &#8211; <\/span>ransom paid, disk decrypted.<\/li>\n<\/ul>\n<p>It continues with execution based on the encryption status flag, as shown in Figure 1.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Overview of HybridPetya\u2019s execution logic\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-1-1.png\" alt=\"Figure 1. Overview HybridPetya execution logic\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Overview of HybridPetya\u2019s execution logic<\/em><\/figcaption><\/figure>\n<h4>Disk encryption<a id=\"Disk encryption\"\/><\/h4>\n<p>If the value of the encryption flag is <span style=\"font-family: courier new, courier, monospace;\">0<\/span>, the bootkit extracts the 32-byte-long <a href=\"https:\/\/en.wikipedia.org\/wiki\/Salsa20\">Salsa20<\/a> encryption key and 8-byte-long nonce from the configuration data, and subsequently rewrites the configuration file, now with the encryption key zeroed and the encryption flag set to <span style=\"font-family: courier new, courier, monospace;\">1<\/span>. It continues with encryption of the <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\verify<\/span> file with the Salsa20 encryption algorithm using the key and nonce from the configuration. Then, before proceeding to its main functionality \u2013 disk encryption \u2013 it creates the file <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\counter<\/span> on the EFI System Partition; the purpose of this file is explained later.<\/p>\n<p>The disk encryption process starts with identification of all NTFS-formatted partitions. As shown in Figure 2, the sample does so by getting the list of handles for connected storage devices, identifying the individual partitions by checking that <span style=\"font-family: courier new, courier, monospace;\">EFI_BLOCK_IO_MEDIA-&gt;LogicalPartition<\/span> is <span style=\"font-family: courier new, courier, monospace;\">TRUE<\/span>, and finally verifying whether the partition is NTFS formatted by comparing the first four bytes of the data present in the first partition\u2019s sector with the NTFS signature <span style=\"font-family: courier new, courier, monospace;\">NTFS<\/span>.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 2. Hex-Rays decompiled code for NTFS partition identification\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-2.png\" alt=\"Figure 2. Hex-Rays decompiled code for NTFS partitions identification\" height=\"\"\/><figcaption><em>Figure 2. Hex-Rays decompiled code for NTFS partition identification<\/em><\/figcaption><\/figure>\n<p>Once the NTFS partitions have been identified, the bootkit continues with encryption of the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/fileio\/master-file-table\">Master File Table<\/a> (MFT) file, the essential metadata file containing information about other files and the location of their data on the NTFS-formatted partition. As shown in Figure 3, during the encryption, the bootkit rewrites the contents of the <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\counter<\/span> file with the number of already encrypted disk clusters, and updates the fake CHKDSK message displayed on the victim\u2019s screen (shown in Figure 4), with the information about the current encryption status (though, based on the message, the victim may believe that the disk is being checked for errors, not being encrypted).<\/p>\n<figure><img decoding=\"async\" title=\"Figure 3. Hex-Rays decompiled code: MFT encryption\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-3.png\" alt=\"Figure 3. Hex-Rays decompiled code\" height=\"\"\/><figcaption><em>Figure 3. Hex-Rays decompiled code: MFT encryption<\/em><\/figcaption><\/figure>\n<figure><img decoding=\"async\" title=\"Figure 4. Fake CHKDSK message shown by HybridPetya during disk encryption (identical with NotPetya and Petya)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-4.png\" alt=\"Figure 4. Fake CHKDSK message shown by HybridPetya\" height=\"\"\/><figcaption><em>Figure 4. Fake CHKDSK message shown by HybridPetya during disk encryption (identical with NotPetya and Petya)<\/em><\/figcaption><\/figure>\n<p>When done with the encryption, the bootkit reboots the machine.<\/p>\n<h4>Disk decryption<a id=\"Disk encryption\"\/><\/h4>\n<p>If the bootkit detects that the disk is already encrypted, meaning that the value of the encryption flag from the configuration file is <span style=\"font-family: courier new, courier, monospace;\">1<\/span>, it shows the ransom note shown in Figure 5 or Figure 6 (depending on the bootkit version), and asks the victim to enter the decryption key. Note that while the HybridPetya ransom note has the same format as that of the original NotPetya (shown in Figure 7), the ransom amount, bitcoin address, and the operator\u2019s email address are different. Also, the version deployed with the UEFI Secure Boot bypass uses a different contact email address (<span style=\"font-family: courier new, courier, monospace;\">wowsmith999999@proton[.]me<\/span>) than the version deployed by the obtained installers (<span style=\"font-family: courier new, courier, monospace;\">wowsmith1234567@proton[.]me<\/span>). It\u2019s worth mentioning that the bitcoin address is the same in both versions.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 5. Ransom note from the bootkit installed by the installers without the UEFI Secure Boot bypass\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-5.png\" alt=\"Figure 5. Ransom note from the bootkit\" height=\"\"\/><figcaption><em>Figure 5. Ransom note from the bootkit installed by the installers without the UEFI Secure Boot bypass<\/em><\/figcaption><\/figure>\n<figure><img decoding=\"async\" title=\"Figure 6. Ransom note displayed by the bootkit version deployed by exploiting CVE-2024-7344\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-6.png\" alt=\"Figure 6. Ransom note\" height=\"\"\/><figcaption><em>Figure 6. Ransom note displayed by the bootkit version deployed by exploiting CVE-2024-7344<\/em><\/figcaption><\/figure>\n<figure><img decoding=\"async\" title=\"Figure 7. Original NotPetya ransom note\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-7.png\" alt=\"Figure 7. Original NotPetya ransom note.\" height=\"\"\/><figcaption><em>Figure 7. Original NotPetya ransom note<\/em><\/figcaption><\/figure>\n<p>When a key with the correct length \u2013 32 characters \u2013 is entered and confirmed by the victim pressing Enter, the bootkit proceeds to verification of the key. As depicted in Figure 8, key validity is established by attempting to decrypt the aforementioned <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\verify<\/span> file with the supplied key, and checking whether the plaintext contains only bytes with value <span style=\"font-family: courier new, courier, monospace;\">0x07<\/span>. Note that the bootkit variant deployed via the UEFI Secure Boot bypass hashes the supplied key with an algorithm probably based on <a href=\"https:\/\/eprint.iacr.org\/2011\/697.pdf\">SPONGENT-256\/256\/16<\/a>, using that hash value as the decryption key, while the bootkit deployed by the obtained installers takes the user\u2019s input as is.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 8. Hex-Rays decompiled code: disk-decryption key validity verification\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-8.png\" alt=\"Figure 8. Hex-Rays decompiled code disk-decryption key validity verification\" height=\"\"\/><figcaption><em>Figure 8. Hex-Rays decompiled code: disk-decryption key validity verification<\/em><\/figcaption><\/figure>\n<p>If the correct key is entered, the bootkit updates the configuration file with the encryption flag value set to 2 and also fills in the decryption key. Then it reads the contents of the <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\counter<\/span> file (containing the number of disk clusters previously encrypted) and proceeds with disk decryption. For the decryption, the bootkit proceeds with a very similar process to that of NTFS partition discovery and MFT decryption (the Salsa20 encryption and decryption process is the same) as described in the <em><a href=\"#Disk encryption\">Disk encryption<\/a><\/em> section. The decryption stops when the number of decrypted clusters is equal to the value from the <span style=\"font-family: courier new, courier, monospace;\">counter<\/span> file. During the process of MFT decryption, the bootkit shows the current decryption process status, depicted in Figure 9, on the victim\u2019s screen.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 9. Decryption status shown to a victim after entering a valid key\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-9.png\" alt=\"Figure 9. Decryption status shown to a victim after entering a valid key\" height=\"\"\/><figcaption><em>Figure 9. Decryption status shown to a victim after entering a valid key<\/em><\/figcaption><\/figure>\n<p>Next, the bootkit proceeds with recovering the legitimate bootloaders <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\bootmgfw.efi<\/span> and <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Boot\\bootx64.efi<\/span> from the backup file previously created during the installation process: <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\bootmgfw.efi.old<\/span>.<\/p>\n<p>Finally, after the decryption process is finished and the legitimate bootloaders recovered, the bootkit prompts the victim to reboot the device (Figure 10). If everything went well, the device should start the operating system successfully after the reboot.<\/p>\n<figure><img decoding=\"async\" title=\"Figure 10. Prompt to reboot victim device after successful disk decryption\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-10.png\" alt=\"Figure 10. Prompt to reboot victim device after successful disk decryption\" height=\"\"\/><figcaption><em>Figure 10. Prompt to reboot victim device after successful disk decryption<\/em><\/figcaption><\/figure>\n<h3>Deploying the UEFI bootkit component<\/h3>\n<p>In this section, we focus on the bootkit-installation functionality of the discovered HybridPetya installers. Note that the installers we were able to obtain do not take UEFI Secure Boot into account. However, as explained in the <em><a href=\"#CVE-2024-7344 exploitation\">CVE-2024-7344 exploitation<\/a><\/em> section, there is likely a variant with such an improvement.<\/p>\n<p>To decide whether the system is UEFI based, the installer retrieves the disk information (<span style=\"font-family: courier new, courier, monospace;\">IOCTL_DISK_GET_DRIVE_LAYOUT_EX<\/span>), checks whether the GPT partitioning scheme is used (<span style=\"font-family: courier new, courier, monospace;\">PARTITION_STYLE_GPT<\/span>), and walks through the partitions until it discovers the one with <span style=\"font-family: courier new, courier, monospace;\">PARTITION_INFORMATION_GPT.PartitionType<\/span> set to <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winioctl\/ns-winioctl-partition_information_gpt\" target=\"_blank\" rel=\"noopener\">PARTITION_SYSTEM_GUID<\/a>, which is the identifier of the EFI System Partition. After discovering the EFI System Partition, it continues:<\/p>\n<ul>\n<li>Removing the fallback UEFI bootloader, stored in <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Boot\\Bootx64.efi<\/span>.<\/li>\n<li>Dropping a disk-encryption-related configuration along with the encryption flag, to the <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\config<\/span> file on the EFI System Partition; the encryption configuration contains the Salsa20 encryption key, 8-byte nonce, and victim\u2019s personal installation key (<a href=\"https:\/\/learnmeabitcoin.com\/technical\/keys\/base58\/\" target=\"_blank\" rel=\"noopener\">base58-encoded<\/a> data).<\/li>\n<li>Dropping an encryption-verification array consisting of <span style=\"font-family: courier new, courier, monospace;\">0x200<\/span> bytes with value <span style=\"font-family: courier new, courier, monospace;\">0x07<\/span> to the <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\verify<\/span> file on the EFI System Partition; this array is later encrypted by the bootkit component using the same Salsa20 key as used for disk encryption. The purpose of this array is to verify whether the victim entered a valid decryption key (by decrypting the array with the entered key, and verifying that the plaintext contains an array of bytes with value <span style=\"font-family: courier new, courier, monospace;\">0x07<\/span>).<\/li>\n<li>Creating a backup of <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\bootmgfw.efi<\/span>, the default bootloader for Windows-based systems, by copying it into <span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\bootmgfw.efi.old<\/span>.<\/li>\n<\/ul>\n<p>When done, it triggers a system crash (Blue Screen Of Death, BSOD) by using the same method that Petya did \u2013 invoking the <span style=\"font-family: courier new, courier, monospace;\">NtRaiseHardError<\/span> API with the <span style=\"font-family: courier new, courier, monospace;\">ErrorStatus<\/span> parameter set to <span style=\"font-family: courier new, courier, monospace;\">0xC0000350<\/span> (<span style=\"font-family: courier new, courier, monospace;\">STATUS_HOST_DOWN<\/span>) and the <span style=\"font-family: courier new, courier, monospace;\">ResponseOption<\/span> set to value <span style=\"font-family: courier new, courier, monospace;\">6<\/span> (<span style=\"font-family: courier new, courier, monospace;\">OptionShutdownSystem<\/span>), resulting in a system shutdown.<\/p>\n<p>The abovementioned changes ensure that on systems with Windows set as the primary OS, the bootkit binary will be executed once the device is powered on again.<\/p>\n<h3>CVE-2024-7344 exploitation<a id=\"CVE-2024-7344 exploitation\"\/><\/h3>\n<p>In this section, we examine <a href=\"https:\/\/www.virustotal.com\/gui\/file\/796b0ef499e99cef5a5e9df60a4b7aef42f83cfccfa6df14f946121c2ba7283c\/details\" target=\"_blank\" rel=\"noopener\">an archive<\/a> that we discovered on VirusTotal that contains a variant of the UEFI bootkit described in the <em><a href=\"#UEFI bootkit\" target=\"_self\" rel=\"noopener\">UEFI bootkit<\/a><\/em> section, but this time bundled in a specially formatted <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span> file related to CVE-2024-7344 \u2013 the UEFI Secure Boot bypass vulnerability that our team publicly disclosed in early 2025.<\/p>\n<p>A list of the files present in the archive along with their contents suggests that this EFI System Partition was copied from a system already encrypted by this Petya\/NotPetya copycat variant. Note that we haven\u2019t obtained the installer responsible for deploying this version with the UEFI Secure Boot bypass, but based on the archive\u2019s contents, which are shown in Figure 11, it would be pretty similar to the process described in the previous section. Specifically, the archive contains:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\counter<\/span>, a file already containing a non-zero value representing the number of disk clusters previously encrypted by the bootkit,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\config<\/span>, a file with the encryption flag value set to <span style=\"font-family: courier new, courier, monospace;\">1<\/span>, meaning that the disk should be already encrypted and the bootkit should proceed with displaying the ransom note,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\bootmgfw.efi.old<\/span>, a file with the first <span style=\"font-family: courier new, courier, monospace;\">0x400<\/span> bytes XORed with the value <span style=\"font-family: courier new, courier, monospace;\">0x07<\/span>,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\bootmgfw.efi<\/span>, a legitimate, but vulnerable (CVE\u20112024\u20117344) UEFI application signed by Microsoft (revoked in Microsoft\u2019s dbx <a href=\"https:\/\/github.com\/microsoft\/secureboot_objects\/blob\/main\/Archived\/dbx_info_msft_1_14_25.json\" target=\"_blank\" rel=\"noopener\">since January 2025<\/a>); in this section we\u2019ll refer to this file with its original name <span style=\"font-family: courier new, courier, monospace;\">reloader.efi<\/span>, and<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\EFI\\Microsoft\\Boot\\cloak.dat<\/span>, a specially crafted file loadable through <span style=\"font-family: courier new, courier, monospace;\">reloader.efi<\/span> and containing the XORed bootkit binary.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" title=\"Figure 11. Archive containing the CVE-2024-7344-exploiting version of the bootkit\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/hybridpetya\/figure-11.png\" alt=\"Figure 11. Archive containing the CVE-2024-7344-exploiting version of the bootkit\" height=\"\"\/><figcaption><em>Figure 11. Archive containing the CVE-2024-7344-exploiting version of the bootkit<\/em><\/figcaption><\/figure>\n<p>As described in our report from January 2025, the exploit mechanism is quite simple. The <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span> file contains specially formatted data that contains a UEFI application. When the <span style=\"font-family: courier new, courier, monospace;\">reloader.efi<\/span> binary (deployed as <span style=\"font-family: courier new, courier, monospace;\">bootmgfw.efi<\/span>) is executed during boot, it searches for the presence of the <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span> file on the EFI System Partition, and loads the embedded UEFI application from the file in a very unsafe way, completely ignoring any integrity checks, thus bypassing UEFI Secure Boot.<\/p>\n<p style=\"tab-stops: 98.5pt;\">Note that our blogpost from January 2025 didn\u2019t explain the exploitation in fine detail; thus, the malware author probably reconstructed the correct <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span> file format based on reverse engineering the vulnerable application on their own.<\/p>\n<p style=\"tab-stops: 98.5pt;\">The vulnerability cannot be exploited on systems with Microsoft\u2019s <a href=\"https:\/\/github.com\/microsoft\/secureboot_objects\/blob\/main\/Archived\/dbx_info_msft_1_14_25.json\" target=\"_blank\" rel=\"noopener\">January 2025<\/a> dbx update applied. For guidance on how to protect and verify whether your system is exposed to this vulnerability, check the <em>Protection and Detection<\/em> section of our January 2025 blogpost.<\/p>\n<h2>Conclusion<\/h2>\n<p>HybridPetya is now at least the fourth publicly known example of a real or proof-of-concept UEFI bootkit with UEFI Secure Boot bypass functionality, joining BlackLotus (exploiting CVE\u20112022\u201121894), <a href=\"https:\/\/www.binarly.io\/blog\/logofail-exploited-to-deploy-bootkitty-the-first-uefi-bootkit-for-linux\" target=\"_blank\" rel=\"noopener\">BootKitty<\/a> (exploiting <a href=\"https:\/\/www.binarly.io\/blog\/the-far-reaching-consequences-of-logofail\">LogoFail<\/a>), and the <a href=\"https:\/\/github.com\/Cr4sh\/s6_pcie_microblaze\/tree\/eef8da94e2eec6d6894370e2216e718931842be4\/python\/payloads\/DmaBackdoorHv#deploying-the-backdoor-using-signed-kaspersky-bootloader\" target=\"_blank\" rel=\"noopener\">Hyper-V Backdoor PoC<\/a> (exploiting <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-26200\" target=\"_blank\" rel=\"noopener\">CVE\u20112020\u201126200<\/a>). This shows that Secure Boot bypasses are not just possible \u2013 they\u2019re becoming more common and attractive to both researchers and attackers.<\/p>\n<p>Although HybridPetya is not actively spreading, its technical capabilities \u2013 especially MFT encryption, UEFI system compatibility, and Secure Boot bypass \u2013 make it noteworthy for future threat monitoring.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/hybridpetya\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"142\"><strong>Filename<\/strong><\/td>\n<td width=\"132\"><strong>Detection<\/strong><\/td>\n<td width=\"189\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">BD35908D5A5E9F7E41A6<wbr\/>1B7AB598AB9A88DB723D<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">bootmgfw.efi<\/span><\/td>\n<td width=\"132\">EFI\/Diskcoder.A<\/td>\n<td width=\"189\">HybridPetya &#8211; UEFI bootkit component.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">9DF922D00171AA3C31B7<wbr\/>5446D700EE567F8D787B<\/span><\/td>\n<td width=\"142\">N\/A<\/td>\n<td width=\"132\">EFI\/Diskcoder.A<\/td>\n<td width=\"189\">HybridPetya &#8211; UEFI bootkit component, extracted from <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">9B0EE05FFFDA0B16CF9D<wbr\/>AAC587CB92BB06D3981B<\/span><\/td>\n<td width=\"142\">N\/A<\/td>\n<td width=\"132\">Win32\/Injector.AJBK<\/td>\n<td width=\"189\">HybridPetya installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">CDC8CB3D211589202B49<wbr\/>A48618B0D90C4D8F86FD<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">core.dll<\/span><\/td>\n<td width=\"132\">Win32\/Filecoder.OSK<\/td>\n<td width=\"189\">HybridPetya installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">D31F86BA572904192D74<wbr\/>76CA376686E76E103D28<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">f20000.mbam<wbr\/>_update.exe<\/span><\/td>\n<td width=\"132\">Win32\/Filecoder.OSK<\/td>\n<td width=\"189\">HybridPetya installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">A6EBFA062270A3212414<wbr\/>39E8DF72664CD54EA1BC<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">improved_not<wbr\/>petyanew.exe<\/span><\/td>\n<td width=\"132\">Win32\/Kryptik.BFRR<\/td>\n<td width=\"189\">HybridPetya installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C8E3F1BF0B67C83D2A6D<wbr\/>9E594DE8067F0378E6C5<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">notpetya<wbr\/>_new.exe<\/span><\/td>\n<td width=\"132\">Win32\/Kryptik.BFRR<\/td>\n<td width=\"189\">HybridPetya installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C7C270F9D3AE80EC5E89<wbr\/>26A3CD1FB5C9D208F1DC<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">notpetyanew.exe<\/span><\/td>\n<td width=\"132\">Win32\/Kryptik.BFRR<\/td>\n<td width=\"189\">HybridPetya installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">3393A8C258239D680255<wbr\/>3FD1CCE397E18FA285A1<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">notpetyanew_imp<wbr\/>roved_final.exe<\/span><\/td>\n<td width=\"132\">Win32\/Kryptik.BFRR<\/td>\n<td width=\"189\">HybridPetya installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">98C3E659A903E74D2EE3<wbr\/>98464D3A5109E92BD9A9<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">bootmgfw.efi<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"189\">UEFI application vulnerable to CVE-2024-7433.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">D0BD283133A80B471375<wbr\/>62F2AAAB740FA15E6441<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span><\/td>\n<td width=\"132\">EFI\/Diskcoder.A<\/td>\n<td width=\"189\">Specially formatted <span style=\"font-family: courier new, courier, monospace;\">cloak.dat<\/span> related to CVE-2024-7433, contains XORed HybridPetya UEFI bootkit component.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\" target=\"_blank\" rel=\"noopener\">version 17<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/p>\n<table style=\"height: 1136px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 50px;\">\n<td style=\"height: 50px;\" width=\"113\"><strong>Tactic<\/strong><\/td>\n<td style=\"height: 50px;\" width=\"113\"><strong>ID<\/strong><\/td>\n<td style=\"height: 50px;\" width=\"151\"><strong>Name<\/strong><\/td>\n<td style=\"height: 50px;\" width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 104px;\">\n<td style=\"height: 190px;\" rowspan=\"2\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td style=\"height: 104px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1587\/001\">T1587.001<\/a><\/td>\n<td style=\"height: 104px;\" width=\"151\">Develop Capabilities: Malware<\/td>\n<td style=\"height: 104px;\" width=\"265\">HybridPetya is new ransomware with UEFI compatibility and a UEFI bootkit component developed by unknown authors.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1587\/004\">T1587.004<\/a><\/td>\n<td style=\"height: 86px;\" width=\"151\">Develop Capabilities: Exploits<\/td>\n<td style=\"height: 86px;\" width=\"265\">HybridPetya\u2019s authors developed an exploit for the CVE\u20112024\u20117344 UEFI Secure Boot bypass vulnerability.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 208px;\" rowspan=\"2\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td style=\"height: 104px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1203\">T1203<\/a><\/td>\n<td style=\"height: 104px;\" width=\"151\">Exploitation for Client Execution<\/td>\n<td style=\"height: 104px;\" width=\"265\">HybridPetya exploits CVE\u20112024\u20117344 to execute an unsigned UEFI bootkit on outdated systems with UEFI Secure Boot enabled.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1106\">T1106<\/a><\/td>\n<td style=\"height: 104px;\" width=\"151\">Native API<\/td>\n<td style=\"height: 104px;\" width=\"265\">HybridPetya installers use undocumented native API <span style=\"font-family: courier new, courier, monospace;\">NtRaiseHardError<\/span> to cause a system crash after the bootkit\u2019s installation.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 190px;\" rowspan=\"2\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td style=\"height: 86px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1542\/003\">T1542.003<\/a><\/td>\n<td style=\"height: 86px;\" width=\"151\">Pre-OS Boot: Bootkit<\/td>\n<td style=\"height: 86px;\" width=\"265\">HybridPetya persists using the bootkit component. It supports both legacy and UEFI systems.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1574\">T1574<\/a><\/td>\n<td style=\"height: 104px;\" width=\"151\">Hijack Execution Flow<\/td>\n<td style=\"height: 104px;\" width=\"265\">HybridPetya installers hijack the regular system boot process by replacing the legitimate Windows bootloader with a malicious one.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px;\" width=\"113\"><strong>Privilege Escalation<\/strong><\/td>\n<td style=\"height: 104px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1068\">T1068<\/a><\/td>\n<td style=\"height: 104px;\" width=\"151\">Exploitation for Privilege Escalation<\/td>\n<td style=\"height: 104px;\" width=\"265\">HybridPetya exploits CVE\u20112024\u20117344 to bypass UEFI Secure Boot and execute the malicious UEFI bootkit with high privileges during bootup.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 240px;\" rowspan=\"3\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1211\">T1211<\/a><\/td>\n<td style=\"height: 68px;\" width=\"151\">Exploitation for Defense Evasion<\/td>\n<td style=\"height: 68px;\" width=\"265\">HybridPetya exploits CVE\u20112024\u20117344 to bypass UEFI Secure Boot.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1620\">T1620<\/a><\/td>\n<td style=\"height: 68px;\" width=\"151\">Reflective Code Loading<\/td>\n<td style=\"height: 68px;\" width=\"265\">HybridPetya installers use the reflective DLL loading technique.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1036\">T1036<\/a><\/td>\n<td style=\"height: 104px;\" width=\"151\">Masquerading<\/td>\n<td style=\"height: 104px;\" width=\"265\">The HybridPetya bootkit displays fake CHKDSK messages on the screen during disk encryption to mask its malicious activity.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 154px;\" rowspan=\"2\" width=\"113\"><strong>Impact<\/strong><\/td>\n<td style=\"height: 86px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1486\">T1486<\/a><\/td>\n<td style=\"height: 86px;\" width=\"151\">Data Encrypted for Impact<\/td>\n<td style=\"height: 86px;\" width=\"265\">The HybridPetya installer encrypts files with specified extensions and the bootkit component encrypts MFT file on each NTFS-formatted partition.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1529\">T1529<\/a><\/td>\n<td style=\"height: 68px;\" width=\"151\">System Shutdown\/Reboot<\/td>\n<td style=\"height: 68px;\" width=\"265\">HybridPetya reboots the device after MFT encryption.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous<\/p>\n","protected":false},"author":1,"featured_media":248,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=247"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/247\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/248"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}