{"id":14409,"date":"2018-09-28T15:58:13","date_gmt":"2018-09-28T15:58:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/29356\/Inside-A-UEFI-Russian-Made-Rootkit-Used-To-Spy-On-Governments.html"},"modified":"2018-09-28T15:58:13","modified_gmt":"2018-09-28T15:58:13","slug":"inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/","title":{"rendered":"Inside A UEFI Russian Made Rootkit Used To Spy On Governments"},"content":{"rendered":"

A UEFI rootkit, believed to have been built by Kremlin spies from an anti-thief software program to snoop on European governments, has been publicly picked apart by researchers.<\/p>\n

A rootkit is a piece of software that hides itself on computer systems, and uses its root or administrator-level privileges to steal and alter documents, spy on users, and cause other mischief and headaches. A UEFI rootkit lurks in the motherboard firmware, meaning it starts up before the operating system and antivirus suites run, allowing it to bury itself deep in an infected machine, undetected and with high-level access privileges.<\/p>\n

According to infosec biz ESET, a firmware rootkit dubbed LoJax targeted Windows PCs used by government organizations<\/a> in the Balkans as well as in central and eastern Europe. The chief suspects behind the software nasty are the infamous Fancy Bear (aka Sednit aka Sofacy aka APT28) hacking crew, elsewhere identified as a unit of Russian military intelligence.<\/p>\n

That’s the same Fancy Bear that’s said to have hacked the US Democratic Party’s servers, French telly network TV5, and others.<\/p>\n

The malware is based on an old version of a legit application by Absolute Software called LoJack for Laptops, which is typically installed on notebooks by manufacturers so that stolen devices can be found. The code hides in the UEFI firmware, and phones home to a backend server over the internet. Thus, if the computer is nicked, it will silently reveal its current location to its real owner.<\/p>\n

\"Fancy<\/p>\n

Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin<\/h2>\n

READ MORE<\/span><\/a><\/div>\n

As we reported in May<\/a>, eggheads at Netscout’s Arbor Networks spotted LoJack being reused by Fancy Bear agents to develop LoJax. Now, ESET has documented in detail<\/a> [PDF] the spyware’s inner workings, and listed signatures that can be used to detect and remove it from your own networks.<\/p>\n

Essentially, the miscreants compromise a machine, gain administrator privileges, and then try to alter the motherboard firmware to include a malicious UEFI module that, if successful, installs and runs LoJax every time the computer is normally booted.<\/p>\n

This malicious code thus gets to work before the OS and antivirus tools kick in. Changing the hard drive or reinstalling the operating system is no good \u2013 the malware is stored in the system’s builtin SPI flash, and reinstalls itself on the new or wiped disk.<\/p>\n

Once up and alive, LoJax contacts command-and-control servers that are disguised as normal websites and are known to be operated by Russian intelligence. It then downloads its orders to carry out.<\/p>\n

On Thursday, the ESET team wrote:<\/p>\n

\n

We found a limited number of different LoJax samples during our research. Based on our telemetry data and on other Sednit tools found in the wild, we are confident that this particular module was rarely used compared to other malware components at their disposal. The targets were mostly government entities located in the Balkans as well as Central and Eastern Europe.<\/p>\n

Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system\u2019s SPI flash memory. This module is able to drop and execute malware on disk during the boot process.<\/p>\n

This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system\u2019s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.<\/p>\n<\/blockquote>\n

\"Asus<\/p>\n

Hacking Team spyware rootkit: Even a new HARD DRIVE wouldn’t get rid of it<\/h2>\n

READ MORE<\/span><\/a><\/div>\n

It turns out LoJack, otherwise known as Computrace, was a pretty decent template for designing a piece of hidden firmware-level spyware. “While researching LoJax, we found several interesting artifacts that led us to believe that these threat actors might have tried to mimic Computrace\u2019s persistence method,” ESET stated.<\/p>\n

LoJax uses a kernel driver, RwDrv.sys, to rewrite the UEFI flash firmware and its settings to store itself, so that when the PC starts up, it copies itself to disk and runs itself. This kernel driver was swiped from a legitimate utility called RWEverything.<\/p>\n

We’re told by ESET that Secure Boot, if enabled, should stop LoJax from injecting itself into the firmware storage, because the code won’t have a valid digital signature and should be rejected during startup. Be aware, though, this requires a sufficiently strong Secure Boot configuration: it has to be able to thwart administrator-level malware with read-write access to the UEFI storage.<\/p>\n

There are firmware settings that can thwart the flash installation simply by blocking write operations. If BIOS write-enable is off, BIOS lock-enable is on, and SMM BIOS write-protection is enabled, then the malware can’t write itself to the motherboard’s flash storage.<\/p>\n

Alternatively, wiping the disk and firmware storage will get rid of this particular rootkit strain.<\/p>\n

Modern systems should be able to resist malicious firmware overwrites, we’re told, although ESET said it found at least one case of LoJax in the PC’s SPI flash.<\/p>\n

“While it is hard to modify a system\u2019s UEFI image, few solutions exists to scan system\u2019s UEFI modules and detect malicious ones,” wrote Team ESET. “Moreover, cleaning a system\u2019s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems\u2019 UEFI.”<\/p>\n

While the steps taken to inject the malware into the firmware are somewhat involved, the end result is quite simple: creating a resident software evil that makes sure companion malware is loaded up when a compromised system boots up.<\/p>\n

ESET presented its research on the UEFI rootkit it had uncovered at the 2018 Microsoft BlueHat conference on Thursday, September 27. See the above-linked PDF for more details in more depth. \u00ae<\/p>\n

Sponsored:<\/span> Following Bottomline\u2019s journey to the Hybrid Cloud<\/a><\/p>\n

READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":14410,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[3713],"class_list":["post-14409","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinegovernmentrussiacyberwarspywarebackdoor"],"yoast_head":"\nInside A UEFI Russian Made Rootkit Used To Spy On Governments 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Inside A UEFI Russian Made Rootkit Used To Spy On Governments 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2018-09-28T15:58:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/10\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"174\" \/>\n\t<meta property=\"og:image:height\" content=\"115\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Inside A UEFI Russian Made Rootkit Used To Spy On Governments\",\"datePublished\":\"2018-09-28T15:58:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/\"},\"wordCount\":995,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/10\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg\",\"keywords\":[\"headline,government,russia,cyberwar,spyware,backdoor\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/\",\"name\":\"Inside A UEFI Russian Made Rootkit Used To Spy On Governments 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/10\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg\",\"datePublished\":\"2018-09-28T15:58:13+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/10\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/10\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg\",\"width\":174,\"height\":115},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,government,russia,cyberwar,spyware,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinegovernmentrussiacyberwarspywarebackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Inside A UEFI Russian Made Rootkit Used To Spy On Governments\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Inside A UEFI Russian Made Rootkit Used To Spy On Governments 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/","og_locale":"en_US","og_type":"article","og_title":"Inside A UEFI Russian Made Rootkit Used To Spy On Governments 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2018-09-28T15:58:13+00:00","og_image":[{"width":174,"height":115,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/10\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Inside A UEFI Russian Made Rootkit Used To Spy On Governments","datePublished":"2018-09-28T15:58:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/"},"wordCount":995,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/10\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg","keywords":["headline,government,russia,cyberwar,spyware,backdoor"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/","url":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/","name":"Inside A UEFI Russian Made Rootkit Used To Spy On Governments 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/10\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg","datePublished":"2018-09-28T15:58:13+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/10\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/10\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments.jpg","width":174,"height":115},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/inside-a-uefi-russian-made-rootkit-used-to-spy-on-governments\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,government,russia,cyberwar,spyware,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinegovernmentrussiacyberwarspywarebackdoor\/"},{"@type":"ListItem","position":3,"name":"Inside A UEFI Russian Made Rootkit Used To Spy On Governments"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/14409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=14409"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/14409\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/14410"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=14409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=14409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=14409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}