ESET’s analysis of the threat has shown that the BlackLotus bootkit can circumvent security safeguards on fully updated Windows 11 systems and permanently infect them.
BlackLotus, a new player in the threat landscape, charges USD 5,000 to give advanced persistent threat (APT) actors and cybercriminals access to capabilities formerly only available to nation-states. The main danger posed by UEFI bootkits is well-known: by controlling the operating system’s boot process, they can disable security safeguards and introduce kernel- or user-mode payloads while the system is booting up, acting covertly and with elevated privileges.
A typical attack begins with an installer deploying the bootkit’s files to the ESP, disabling system protections, and rebooting the system. Both offline and online BlackLotus installers have been identified.