Securityby The Ghost in The Prompt2026-03-054 min read

The Undying Ghost: What LoJax Proved About Bare Metal

In 2018 Sednit didn't hack the OS. They hacked the motherboard. LoJax was the first UEFI rootkit used in a real-world campaign β€” and the lesson it taught about persistence hasn't expired.

Most malware is a squatter. It occupies RAM or hides in a partition. Evict it with a format and a fresh ISO. The machine is clean. The attack is over.

In 2018, Sednit showed what happens when the attack lives below the OS.

LoJax was the first UEFI rootkit documented in a real-world campaign. It didn't target Windows. It targeted the SPI flash β€” the chip that holds the UEFI firmware, the code that runs before any operating system breathes. Reformat the drive. Reinstall the OS. Pull the SSD and replace it. LoJax survives all of it. The infection is in the motherboard. The machine is owned before it boots.

The Persistence Mechanism

The brilliance of LoJax wasn't novelty. It was opportunistic reuse.

Sednit repurposed the persistence module from Absolute LoJack β€” legitimate commercial anti-theft software that used the same UEFI persistence trick to survive factory resets. The legal tool had already solved the hard problem. The Sednit group borrowed the solution.

The entry was through RwDrv.sys β€” a kernel driver that exposes direct hardware access. If the platform's BIOS_CNTL register wasn't properly locked, the driver could write to SPI flash. That register controls whether the BIOS region is writable. Most enterprise systems leave it unprotected unless explicitly hardened.

# Detect SPI flash write protection status using chipsec
# Intel's own security testing framework β€” runs on authorized hardware
# pip install chipsec

sudo chipsec_main.py -m common.bios_wp

# What to read in the output:
# [*] BIOS region write protection is enabled (BIOS_CNTL.BIOSWE = 0)   ← protected
# [!] BIOS region write protection is DISABLED (BIOS_CNTL.BIOSWE = 1)  ← vulnerable
# [!] SMM BIOS Write Protect (BLE) is DISABLED                         ← critical

# If BIOSWE = 1 and BLE = 0, an attacker with kernel access
# can write to SPI flash. That is the LoJax entry condition.
# Check this before you trust the rest of your security stack.

The DXE Injector

LoJax worked by injecting a malicious DXE driver into the UEFI firmware image. DXE β€” Driver Execution Environment β€” is the phase of UEFI boot where hardware initialization drivers run, before the OS loader starts.

The injected driver executes at boot, drops a payload into the Windows System32 directory, and re-infects any new drive connected to the machine. The persistence survives hardware replacement because the infection is in the firmware, not the storage.

HACK LOVE BETRAY
COMING SOON

HACK LOVE BETRAY

Mobile-first arcade trench run through leverage, trace burn, and betrayal. The City moves first. You keep up or you get swallowed.

VIEW GAME FILE β†’
// Conceptual logic of the LoJax DXE callback
// This executes before the OS kernel starts β€” before any EDR, before any AV

EFI_STATUS EFIAPI MaliciousDxeEntry(
    IN EFI_HANDLE ImageHandle,
    IN EFI_SYSTEM_TABLE *SystemTable)
{
    EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *FileSystem;

    // Locate the file system protocol β€” Sednit used a stolen NTFS driver
    // from the 2015 Hacking Team leak rather than writing their own
    Status = gBS->LocateProtocol(
        &gEfiSimpleFileSystemProtocolGuid,
        NULL,
        (VOID**)&FileSystem
    );

    if (Status == EFI_SUCCESS) {
        // Drop the payload into System32 before Windows loads
        // The OS sees this as a file that was always there
        DropPayloadToSystem32(FileSystem, L"\\Windows\\System32\\autoche.exe");
    }

    return EFI_SUCCESS;
}

The file naming was deliberate: autoche.exe, not autochk.exe. One character off from a legitimate Windows binary. A registry key modification in Session Manager\BootExecute ensured the malicious binary ran on every subsequent boot. The EDR loads after this executes. By the time endpoint detection is operational, the ghost is already resident.

The Legacy

That logic didn't die with Sednit's 2018 campaign.

BlackLotus in 2023 achieved Secure Boot bypass on fully patched Windows 11 systems β€” a UEFI bootkit that could disable Hypervisor-Protected Code Integrity and Windows Defender from the firmware layer. The techniques evolved. The attack surface remained the same: the gap between where firmware lives and where detection starts.

The best AI-driven EDR in 2026 operates at the kernel level. Firmware rootkits operate below the kernel level. The detection tool and the malware are not competing on the same surface. The EDR is not useless β€” it catches the payload LoJax drops into System32. It cannot catch the dropper, because the dropper ran before the EDR existed.

The defense is hardware-level: Secure Boot with properly enrolled keys, BIOS write protection enabled and verified, HVCI enforced. Not software layers on top of compromised firmware. Hardware guarantees about what firmware runs at all.

If the SPI flash is writable, the rest of the security stack is downstream of an assumption that may already be false.

GhostInThePrompt.com // Root is deep. Firmware is deeper.

Reference: 'LoJax: First UEFI rootkit found in the wild' β€” ESET Research (2018).

Continue Reading

security

The AI Training Pipeline: 2026's New Supply Chain Attack

The threat surface shifted while you were looking at the logs. Analyzing the structural blind spots in AI training pipelinesβ€”from the 0.1% poisoning threshold to the invisible suppression of triage models.

security

The 2026 Refactor: Bending the Pipes

A firewall is a set of rules. Rules have exceptions. Tunneling finds them. Brennon Thomas wrote the plumber's handbook and in 2026 every lesson in it still works β€” the pipes are just carrying more interesting cargo.