HybridPetya: More proof that Secure Boot bypasses are not just an urban legend

#### [Research](/security/research/)**6** HybridPetya: More proof that Secure Boot bypasses are not just an urban legend==============================================================================**6** Although it hasn’t been seen in the wild yet——————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 12 Sep 2025 // 23:05 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend) [](https://twitter.com/intent/tweet?text=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend&url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend&summary=Although%20it%20hasn%27t%20been%20seen%20in%20the%20wild%20yet) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) A new ransomware strain dubbed HybridPetya was able to exploit a patched vulnerability to bypass Unified Extensible Firmware Interface (UEFI) Secure Boot on unrevoked Windows systems, making it the fourth publicly known bootkit capable of punching through the feature and hijacking a PC before the operating system loads.ESET researchers discovered the ransomware-bootkit combo after samples were uploaded to VirusTotal in February, and named it HybridPetya because of its similarities to the infamous Petya and NotPetya malware strains.The silver lining: the code seems to be just a proof-of-concept (PoC) at this point, and the threat hunters say they’ve seen no indications of its use in the wild. Also, it doesn’t show the same aggressive network propagation as NotPetya. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMVBApX9dpbGSzTkkuBCwwAAAQk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)Still, HybridPetya provides yet another example that Secure Boot bypasses, which were still considered an infosec urban legend until a few years ago, do exist. And both ethical hackers and attackers alike are eager to develop new variants. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMVBApX9dpbGSzTkkuBCwwAAAQk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)As *Reg* readers no doubt remember: back in 2017, malware dubbed [NotPetya](https://www.theregister.com/2017/06/28/petya_notpetya_ransomware) (because the data-wiping malware masqueraded as 2016’s [Petya](https://www.theregister.com/2017/03/15/petya_returns_wrapped_in_extra_vx_nastiness/) ransomware) [exploded](https://www.theregister.com/2017/06/27/ransomware_outbreak_hits_ukraine/) across the world, ultimately costing [more than $10 billion](https://theloop.ecpr.eu/surprising-stats-the-worst-economic-losses-from-cyber-catastrophes/) in damages.Both Petya and NotPetya also contained bootkits that overwrote the Master Boot Record (MBR) on infected computers, thus allowing the malware to lock up victims’ entire hard drive and prevent the OS from booting. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/research&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMVBApX9dpbGSzTkkuBCwwAAAQk&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The new HybridPetya shares its disk-locking behavior with its predecessors and abuses UEFI vulnerability CVE-2024-7344, which [ESET discovered and disclosed](https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/) earlier this year and which Microsoft has since revoked in dbx on updated machines.’HybridPetya is also capable of compromising modern UEFI-based systems by installing a malicious EFI application to the EFI System Partition,’ ESET malware researcher Martin Smolár [wrote](https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/) in a Friday report. ‘The deployed UEFI application is then responsible for encryption of the [NTFS](https://learn.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview)-related [Master File Table](https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table) (MFT) file — an important metadata file containing information about all the files on the NTFS-formatted partition.’HybridPetya, unlike the data-destroying NotPetya, also functions as ransomware. The algorithm used to generate the victim’s personal installation key allows the malware operator to reconstruct the decryption key from the personal installation key — and thus unlock the files — as opposed to just wiping them clean.### How the bootkit worksSimilar to the two original Petya/NotPetya variants, upon execution, the UEFI bootkit loads its configuration from the –EFI–Microsoft–Boot–config file, and checks the current encryption status. This status can have one of three values:* 0 – ready for encryption* 1 – already encrypted, or* 2 – ransom paid, disk decryptedIf the value is 0, the bootkit rewrites the configuration file with the flag now set to 1 and encrypts the –EFI–Microsoft–Boot–verify file with the [Salsa20](https://en.wikipedia.org/wiki/Salsa20) encryption algorithm, using the key and 8-byte-long nonce specified in the configuration data.It also creates the file –EFI–Microsoft–Boot–counter on the EFI System Partition — this file is used to keep track of the already encrypted disk clusters — and begins the disk encryption process, starting with the identification of all NTFS-formatted partitions.The malware also displays a fake Windows ‘CHKDSK’ message on the victim’s screen to indicate the disk is being checked for errors — not being encrypted. This message is identical to those displayed in both NotPetya and Petya.Meanwhile, if the disk is already encrypted (so the encryption flag value is set to 1), the bootkit proceeds with a ransom note that, like the original NotPetya, begins: ‘Ooops, your important files are encrypted.’It then instructs the victim to send $1,000 in Bitcoin to a now-empty wallet ([34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2](https://www.blockchain.com/explorer/addresses/btc/34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2)) to purchase the decryptor. Once the victim enters the correct key, verified by the bootkit, it then proceeds to decrypt the disk and record the legitimate bootloaders from a backup file created during the installation process. After that’s completed, the bootkit prompts the victim to reboot the device, and assuming everything worked, the OS should start up again.* [First-ever UEFI bootkit for Linux in the works, experts say](https://www.theregister.com/2024/11/27/firstever_uefi_bootkit_for_linux/)* [UEFI flaws allow bootkits to pwn potentially hundreds of devices using images](https://www.theregister.com/2023/12/01/uefi_image_parser_flaws/)* [It’s official: BlackLotus malware can bypass Secure Boot on Windows machines](https://www.theregister.com/2023/03/01/blacklotus_malware_eset/)* [Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix](https://www.theregister.com/2023/05/09/microsoft_may_patch_tuesday/)’Although HybridPetya is not actively spreading, its technical capabilities — especially MFT encryption, UEFI system compatibility, and Secure Boot bypass — make it noteworthy for future threat monitoring,’ Smolár wrote.The discovery of HybridPetya follows three other real or PoC Secure Boot bypasses. Smolár wrote about the first, [BlackLotus](https://www.theregister.com/2023/03/01/blacklotus_malware_eset/), back in 2023 after Kaspersky’s lead security researcher Sergey Lozhkin [first saw it](https://www.theregister.com/2022/10/13/blacklotus_malware_kaspersky/) being sold on cybercrime marketplaces a year earlier.Last November, ESET also spotted a bootkit targeting Linux systems dubbed [Bootkitty](https://www.theregister.com/2024/11/27/firstever_uefi_bootkit_for_linux/) after it was uploaded to VirusTotal.ESET also counts the [Hyper-V Backdoor PoC](https://github.com/Cr4sh/s6_pcie_microblaze/tree/eef8da94e2eec6d6894370e2216e718931842be4/python/payloads/DmaBackdoorHv#deploying-the-backdoor-using-signed-kaspersky-bootloader), which exploited [CVE-2020-26200](https://nvd.nist.gov/vuln/detail/CVE-2020-26200), among the four documented bootkits. ® [Sponsored: The AI-powered future of work arrives at Zoomtopia 2025](https://go.theregister.com/tl/3241/shttps://www.theregister.com/2025/09/08/aipowered_future_work_arrives/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend) [](https://twitter.com/intent/tweet?text=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend&url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend&summary=Although%20it%20hasn%27t%20been%20seen%20in%20the%20wild%20yet) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Malware](/Tag/Malware/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) More like these × ### More about* [Malware](/Tag/Malware/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend) [](https://twitter.com/intent/tweet?text=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend&url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=HybridPetya%3a%20More%20proof%20that%20Secure%20Boot%20bypasses%20are%20not%20just%20an%20urban%20legend&summary=Although%20it%20hasn%27t%20been%20seen%20in%20the%20wild%20yet) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **6** COMMENTS #### More about* [Malware](/Tag/Malware/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) More like these × ### More about* [Malware](/Tag/Malware/)* [Ransomware](/Tag/Ransomware/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacksPatch, turn on MFA, and restrict access to trusted networks…or elseCyber-crime2 days -|](/2025/09/10/akira_ransomware_abusing_sonicwall/?td=keepreading) [#### Apple slips up on ChillyHell macOS malware, lets it past security . . . for 4 years’We do believe that this was likely the creation of a cybercrime group,’ threat hunter tells *The Reg*Research3 days -| 10](/2025/09/10/chillyhell_modular_macos_malware/?td=keepreading) [#### It looks like you’re ransoming data. Would you like some help?AI-powered ransomware, extortion chatbots, vibe hacking … just wait until agents replace affiliatesCyber-crime10 days -|](/2025/09/03/ransomware_ai_abuse/?td=keepreading) [#### How fixed wireless access can bridge the digital divide wherever you areWireless reaches the parts fiber can’tSponsored feature](/2025/08/11/how_fixed_wireless_access/?td=keepreading) [#### The crazy, true story behind the first AI-powered ransomwareinterview tldr; boffins did itSecurity8 days -| 4](/2025/09/05/real_story_ai_ransomware_promptlock/?td=keepreading) [#### Shell to pay: Crims invade your PC with CastleRAT malware, now in C and PythonPro tip, don’t install PowerShell commands without approvalCyber-crime8 days -| 4](/2025/09/05/clickfix_castlerat_malware/?td=keepreading) [#### We’re number 1! America now leads the world in surveillanceware investmentAtlantic Council warns US investors are fueling a market that undermines national securitySecurity2 days -| 9](/2025/09/11/us_surveillanceware_investment/?td=keepreading) [#### First AI-powered ransomware spotted, but it’s not active — yetOh, look, a use case for OpenAI’s gpt-oss-20b modelCyber-crime18 days -| 1](/2025/08/26/first_aipowered_ransomware_spotted_by/?td=keepreading) [#### The intruder is in the house: Storm-0501 attacked Azure, stole data, demanded payment via TeamsDon’t let it happen to youCyber-crime17 days -| 19](/2025/08/27/storm0501_ransomware_azure_teams/?td=keepreading) [#### Ransomware crews don’t care about your endpoint security — they’ve already killed itSome custom malware, some legit software toolsCyber-crime29 days -| 24](/2025/08/14/edr_killers_ransomware/?td=keepreading) [#### Senator blasts Microsoft for ‘dangerous, insecure software’ that helped pwn US hospitalsRon Wyden urges FTC to probe failure to secure Windows after attackers used Kerberoasting to cripple AscensionCyber-crime2 days -| 44](/2025/09/11/wyden_microsoft_insecure/?td=keepreading) [#### WhatsApp’s former security boss claims reporting infosec failings led to oustingMeta shrugs off allegations of improper dismissal, ignoring privacy and securityLegal4 days -| 11](/2025/09/08/whatsapp_exsecurity_head_sues_company/?td=keepreading)

Related Tags:
Topic: Vulnerability

GOLD SAHARA

Akira

PUNK SPIDER

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

Associated Indicators:

Threat Intel Solutions

HybridPetya: More proof that Secure Boot bypasses are not just an urban legend

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us