Great, BlackLotus Windows UEFI Source Code Revealed To All

Source: Bleeping Computer Great, BlackLotus Windows UEFI Source Code Revealed To All

Examining The Way BlackLotus Wreaks Havoc On Windows Secure Boot

While source code leaks are often a bad thing, in this case it can only be considered wonderful.  BlackLotus, which we have covered before, has been horrifying security professionals and IT workers since it was first revealed.  It is capable of avoiding Secure Boot and TPM features to infect your drive’s EFI System Partition irrevocably, thus enabling it to launch malware at boot which is completely invisible to your operating system and antivirus protection.   The only fix found so far is quite complex to install and needs to be done manually on every single machine you want to secure.  Even better, getting it even slightly wrong will brick not only your local drive but also ensure you can’t use any tools to recover the lost data.

The release of BlackLotus’ source code on GitHub, or at least most of it, will let bad actors design new flavours of bootloaders to invisibly infect machines without having to fork over the several thousand dollars the designers charged for access.   There isn’t really any good news to accompany this, as what was leaked had already been discovered by security researchers and doesn’t add to their knowledge.  What is does do is make it much easier to use this code in conjunction with other bootloader viruses to create new versions of BlackLotus type attacks, which we have no way to detect let alone provide protection against.

At least it’s the weekend soon?

The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community.

Video News

About The Author

Jeremy Hellstrom

Call it,, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.


  1. Ray Mcsriff

    From what I understand (and from what the Bleeping Computer article says), BlackLotus infects the bootloader/Windows EFI partition (which is on the DRIVE). It doesn’t infect the UEFI firmware, meaning, it doesn’t infect the storage device (flash or whatever) where the UEFI firmware is. You state “motherboards EFI System Partition”, but that’s non-sensical. The EFI system partition is on the drive. The problem here is detection, since it bypasses secureboot/TPM, it is what they refer to as a “bootkit”. It’s going to be difficult to detect it if you’re booting from the drive, but not impossible. The article lists suggestions from the NSA and MS on how to detect it, and in most scenarios not involving critical data recovery, deleting all partitions and starting over is going to be the default response, just like any other infection.

    The truly terrifying scenarios would involve actually infecting the storage where the UEFI firmware is (which I think has been confirmed to have happened in the wild, and has been demonstrated by researchers). A less scary. but still worse scenario would be infecting the firmware of the drive (probably possible/has happened as well). I’m sure states and high level actors have been doing this more frequently than we know for a long time, but in the future, these types of techniques will filter down to the more common actors (either through leaks of proof-of-concepts, or just organically), then things will get very interesting (i.e. when you’re owned, your motherboard and drive will be bricks). The good news is, security is so bad that the common actors have little incentive to spend their precious criminal time on researching that, when there’s so much low hanging fruit ($) to be had.

    • Jeremy Hellstrom

      thanks for catching my brainfart, replaced motherboards with drive’s.


Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!