Campbell, CA  |

Phoenix Technologies Logo

The BlackLotus Campaign

In April 2023, cybersecurity researchers at Microsoft identified a dangerous UEFI bootkit (CVE-2022-21894), dubbed “BlackLotus”. It operates at computer startup, compromising systems and disabling OS security mechanisms. Notably, it’s a persistence and defense evasion tool, requiring prior privileged or physical access. Detection opportunities include identifying recently modified and locked bootloader files, detecting its custom staging directory, and monitoring registry modifications, event logs, network connections, and boot configuration logs. In case of infection, the infected device should be isolated, reformatted, or restored from a clean backup. To prevent BlackLotus and similar threats, adopt least privilege, implement defense-in-depth strategies, keep antimalware software up-to-date, and remove unnecessary UEFI CA certificates. Vigilance, updates, and robust security practices are essential to safeguard against evolving cyber threats.