BlackLotus operates as a bootkit, meaning it infects a system during the
boot process, before the operating system loads. Unlike traditional bootkits that rely on outdated firmware or misconfigurations, BlackLotus exploits a previously patched but still trusted Windows bootloader vulnerability called Baton Drop with the
CVE ID CVE-2022-21894. Because the vulnerable bootloader remained
cryptographically signed and trusted by Secure Boot, the malware was able to execute even on systems with Secure Boot enabled. The malware primarily targets
Windows 10 and
Windows 11 systems running on UEFI firmware.
Secure Boot bypass and persistence Secure Boot is a security feature designed to ensure that only trusted software loads during system startup. BlackLotus bypasses this protection by leveraging a
Boot Configuration Data manipulation and an older, vulnerable Windows
bootloader that was not revoked in Secure Boot's allowlist at the time of discovery. Once loaded, BlackLotus installs a malicious UEFI component that executes before the
Windows kernel, maintains persistence across
operating system reinstalls, and can disable or tamper with security mechanisms. This allows BlackLotus to disable Windows security features including
BitLocker,
Hypervisor-Protected Code Integrity, and
Windows Defender components. BlackLotus achieves persistence by embedding itself in the
EFI System Partition. Because this partition is typically not scanned by
antivirus software and is rarely modified by users, the malware can survive operating system reinstallation,
disk-level malware removal tools, and some firmware updates. Kernel persistence allows BlackLotus to load kernel-mode
drivers and acting as a platform for deploying additional
payloads. == Discovery ==