First Linux UEFI Bootkit Discovered: A Proof-of-Concept Threat Called ‘Bootkitty’

Researchers at ESET have identified “Bootkitty,” the first known UEFI bootkit targeting Linux systems. This discovery signifies a shift in bootkit threats, which previously focused on Windows environments. Although Bootkitty is currently a proof-of-concept and not deployed in real-world attacks, it demonstrates an evolution in stealthy, hard-to-remove malware.

What Are Bootkits?
Bootkits are malicious programs designed to infect a computer’s boot process, loading before the operating system. This gives them low-level access to the system, allowing them to bypass operating system-level security measures, alter system components, or inject malicious code without detection.

The Discovery of Bootkitty
ESET uncovered Bootkitty after analyzing a suspicious file, bootkit.efi, uploaded to VirusTotal in November 2024. This bootkit is the first to bypass Linux kernel signature verification, preloading malicious components during the boot process.

Bootkitty relies on a self-signed certificate, rendering it ineffective on systems with Secure Boot enabled. Additionally, it is narrowly targeted at specific Ubuntu distributions due to its reliance on hardcoded offsets and rudimentary byte-pattern matching. These limitations, coupled with frequent system crashes and unused functions in the code, indicate that Bootkitty is still in development and unsuitable for widespread deployment.

Bootkitty’s Mechanisms
During boot, Bootkitty hooks into UEFI security protocols to bypass integrity checks, ensuring it loads regardless of system security settings. It also manipulates GRUB functions to disable integrity checks on binaries, including the Linux kernel, and intercepts the kernel’s decompression process to bypass module signature verification.

Once active, the malware alters the environment variable to preload a malicious library (injector.so), injecting its code into processes during system launch. Despite its functionality, researchers noted several artifacts left behind, pointing to the malware’s unfinished state.

Related Findings
The same user who uploaded Bootkitty to VirusTotal also submitted an unsigned kernel module called “BCDropper.” While the connection is tenuous, BCDropper deploys a rootkit module, BCObserver, which can hide files, processes, and open network ports.

Implications
Although Bootkitty is not yet a real-world threat, its development signals that attackers are focusing on Linux malware as the platform gains prominence in enterprise environments. This marks an important milestone in the evolution of UEFI bootkit threats beyond Windows systems.