Wikipedia

BootKitty

BootKitty
Malware details
TypeBootkit
OriginSouth Korea (Proof-of-Concept)

BootKitty is a bootkit ELF malware that hijacks the UEFI on Linux systems by using a malicious EFI booter and is the first ever bootkit for Linux systems. It was also tracked as the malware family IranuKit.[1]

Design

[edit]

When the ELF program of BootKitty is ran, it attempts to disable the kernel signing feature on a Linux system and to preload two loaders, one of which is ran by the Linux kernel on boot, using the Linux init system.[2] This allows BootKitty to persist beyond system reboots, reinstallations, and hard drive replacements.[3] BootKitty primarily uses the exploit LogoFAIL in order to gain firmware-level persistence.[4] Using LogoFAIL, BootKitty embed shellcode into two BMP image files during boot to bypass Secure Boot protections by injecting rogue certifications into the MokList variant.[5] When it was detected in 2024, the EFI file used was self-signed though this normally wouldn't allow it to be ran on systems with UEFI protections on it bypasses these protections is capable of replacing the boot loader and of patching the kernel ahead of its execution.[6] BootKitty is designed mainly to target Ubuntu systems and related Linux distributions.[7] Not all devices are considered susceptible to the exploits this malware uses, the BMP image file and assembler code is specifically made for Lenovo devices and can only work on certain GNU GRUB and Linux kernel versions.[8]

The malware has been compared to the BlackLotus malware by malware and security researchers [9]

History

[edit]

After BootKitty began gaining notoriety among security researchers, multiple university students from South Korea claimed responsibility for its creation as a proof-of-concept accidentally going public issuing a statement of no ill intent.[10]

References

[edit]
  1. ^ Lakshmanan, Ravie. "Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels". The Hacker News. Retrieved 2026-01-17.
  2. ^ Lee, Junho; Kwon, Jihoon; Seo, HyunA; Lee, Myeongyeol; Seo, Hyungyu; Jung, Jinho; Koo, Hyungjoon (2025-08-11). "BOOTKITTY: a stealthy bootkit-rootkit against modern operating systems". Proceedings of the 19th USENIX Conference on Offensive Technologies. USENIX: 303–320. ISBN 978-1-939133-50-2.
  3. ^ Vijayan, Jai (2024-12-02). "'Bootkitty' First Bootloader to Take Aim at Linux". DarkReading. Retrieved 2026-01-16.
  4. ^ "LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux". binarly.io. 2024-11-29. Retrieved 2026-01-17.
  5. ^ Toulas, Bill (2024-12-02). "BootKitty UEFI malware exploits LogoFAIL to infect Linux systems". Bleeping Computer. Retrieved 2026-01-17.
  6. ^ "ESET Research discovers the first UEFI bootkit for Linux". ESET. 2024-11-27. Retrieved 2026-01-17.
  7. ^ Wyciślik-Wilson, Sofia Elizabella (2024-11-29). "Proving Linux is not a safe sanctuary, ESET finds first Linux-targeting UEFI bootkit malware". BetaNews. Retrieved 2026-01-17.
  8. ^ Kunz, Christopher (2024-12-03). "UEFI bootkit "Bootkitty" for Linux is a university project from South Korea". Heise Online. Retrieved 2026-01-17.
  9. ^ Garland, Chris (2024-12-04). "Bootkitty and Linux Bootkits: We've Got You Covered". Eclypsium. Retrieved 2026-01-17.
  10. ^ Kan, Michael (2024-11-27). "'Bootkitty' Malware Can Infect a Linux Machine's Boot Process". PCMag. ISSN 0888-8507. OCLC 960872918. Retrieved 2026-01-17.