New, stealthy, first-of-its-kind malware used by Fancy Bear to target governments, ESET discovers

Next story

ESET announced today that a new cyberattack campaign is underway via the infamous hacking group Fancy Bear (aka Sednit, APT28, STRONTIUM, Sofacy, etc.). It is the first malware observed to successfully compromise the UEFI firmware component of a device (which was formerly known as the BIOS), a core and critical component of a computer.

The malware is dubbed “LoJax” by ESET researchers and is the first ever detected “in-the-wild UEFI rootkit” detected in a cyberattack designed to establish a presence on a victim’s computers. The LoJax rootkit was part of a campaign run by Fancy Bear against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind.

“Although we were aware in theory that UEFI rootkits existed, our discovery confirms that they are used by an active advanced persistent threat group,” said Jean-Ian Boutin, the ESET senior security researcher who led the LoJax research. “These attacks targeting the UEFI firmware are a real threat, and anyone in the crosshairs of Fancy Bear should be watching their networks and devices very closely.”

UEFI rootkits are very sophisticated tools used, as we now have confirmed, to launch successful cyberattacks. They serve as a key to the whole computer, are hard to detect and are able to survive even such intense cybersecurity measures as reinstalling the operating system or replacing the hard disk. Moreover, even cleaning a system that was infected with a UEFI rootkit requires knowledge well beyond the reach of a typical user, such as flashing the firmware.

Fancy Bear is one of the most active APT groups and has been operating since at least 2004. The Democratic National Committee hack that occurred during the 2016 presidential elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Fancy Bear.

This group has in its arsenal a diversified set of malware tools, several examples of which ESET researchers have documented in their previous technical white paper, as well as in numerous blog posts on WeLiveSecurity.

The discovery of this first-ever in-the-wild UEFI rootkit serves as a wake-up call for those organizations and users who tend to ignore the risks connected with firmware modifications.

“Now, there is no excuse for excluding firmware from regular scanning,” said Boutin. “Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to full control of a computer by the attacker, with nearly total persistence.”

ESET is the only major provider of endpoint security solutions to offer a dedicated layer of protection, “ESET UEFI Scanner,” designed to detect malicious components in a PC’s firmware. The UEFI Scanner is included in all of ESET’s latest consumer and business Windows products.

“Thanks to the ESET UEFI Scanner, both our consumer and business customers are in a good position to spot such attacks and defend themselves against them,” noted Juraj Malcho, Chief Technology Officer at ESET.

ESET’s analysis of the Fancy Bear (or “Sednit,” as ESET references the group in technical documents) campaign that uses the first-ever in-the-wild UEFI rootkit is described in detail in the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedIn, Facebook and Twitter.

Media Contact:

Anna Keeve

ESET North America