Researchers have discovered one of the most advanced MoonBounce bootkits that targets the UEFI firmware. The bootkit is suspected to be associated with a decade-old threat group, APT41 or Winnti.

How does it work?

MoonBounce marks the third known malware, after FinFisher and ESPecter, that targets UEFI firmware. Researchers from Kaspersky.
  • The malware is implanted in the SPI flash part of the motherboard, signifying that it cannot be removed even after hard disk replacement.
  • The implant is stored in the CORE_DXE component, which is called during the early boot sequence of UEFI.
  • Once the malware makes its way inside the OS, it may reach out to a C2 server to obtain further payloads.
  • Additionally, the infection chain does not leave any evidence and works entirely in memory, facilitating a fileless attack.

Is cyberespionage the mission?

The main goal of the attackers appears to be establishing a foothold within the network and carrying out cyber-espionage by stealing sensitive information. The attacks were highly targeted in nature and the security firm discovered firmware rootkit only in a single case, whereas multiple other malware samples, including ScrambleCross malware and its loaders, were found in machines of other victims.


The MoonBounce bootkit is an advanced and severe threat that is most probably backed by a notable cybercriminals gang such as
Winnti. Therefore, researchers advise enabling Secure Boot by default and updating firmware regularly. It is recommended to verify that BootGuard is enabled and enable the Trust Platform Module (TPM).
Cyware Publisher