UEFI Bootkit Bootkitty Targets Linux Kernel

Researchers from ESET have discovered a new type of malware known as “Bootkitty.” This bootkit is installed after compromising the system, replacing the GRUB bootloader, and is designed to target Linux systems.

Bootkitty is embedded in the GRUBX64.Efi file in the EFI System Partition section, instead of the standard GRUB bootloader. Once activated, it loads the actual GRUB2 bootloader into memory, makes changes to its code, disables integrity checks on future loaded components, and inserts a processor to alter the Linux kernel in memory. This processor disables digital signature checks and modifies the initialization process line.

The Bootkitty malware consists of an Injector.so library that intercepts Selinux operations and the Init_module function, used to download the nucleus module /OPT/DROPPER.KO. This module creates and runs the executable /OPT/Observer file, conceals itself within the list of nucleus modules, and sets system call handlers to hide both the /OPT/Observer file and specific network traffic. The executable /OPT/Observer later fetches the nucleus module /OPT/ROOTKIT_Loader.ko, which is the Rutkita bootloader.


This type of malware requires privileged access to the system and is commonly deployed by attackers after compromising the system. The Injector.so library and malicious nucleus modules are typically hidden in the initial RAM-disk image or the attacker’s file system. The GRUBX64.EFI bootloader is stored in the UEFI file section.

/Reports, release notes, official announcements.