Bootkitty: The First UEFI Bootkit for Linux and Its Implications for Penetration Testers
UEFI bootkits are sophisticated malware types that compromise the boot process, allowing attackers to execute malicious payloads before the operating system loads. By targeting the firmware, bootkits achieve unparalleled persistence, often evading traditional detection tools. Historically, these threats have targeted Windows systems due to their prevalence, leaving Linux systems relatively untouched—until now.
The emergence of Bootkitty underscores the increasing sophistication of attackers and their interest in diversifying targets, compelling cybersecurity professionals to revisit Linux firmware security strategies.
Bootkitty was first identified by cybersecurity researchers as a PoC UEFI bootkit engineered by a group called BlackCat. While there is no evidence of its deployment in active attacks, the malware’s design reflects the growing sophistication of threat actors targeting Linux environments. Bootkitty’s primary objectives include:
Disabling the Linux kernel’s signature verification.
Preloading unknown ELF binaries via the Linux initialisation process.