securityby The Ghost in The Prompt2026-03-053 min read

The Undying Ghost: Why We Still Bow to LoJax

In the digital afterlife, there is a special place for code that refuses to die. Most malware is a squatter—it occupies your RAM or hides in a hidden partition on your NVMe. You evict it with a format C: and a fresh ISO. But in 2018, the Sednit group showed us the undying ghost. They didn’t just hack the OS; they hacked the motherboard’s SPI flash memory. LoJax was the first time we saw a UEFI rootkit used in a real-world campaign, proving that if you control the Unified Extensible Firmware Interface (UEFI), you own the machine before the first bit of Windows or Linux even breathes.

1. The Ultimate Persistence: Survival by Firmware

The brilliance of LoJax wasn't in its novelty, but in its opportunistic reuse. It repurposed the persistence module of Absolute LoJack, a legal anti-theft software. Sednit used a kernel driver (RwDrv.sys) to bypass the BIOS write protections. If the platform wasn't properly configured—specifically the BIOS_CNTL register—the attacker could overwrite the SPI flash. We’ve seen this logic evolve into the supply chain attacks of today. LoJax taught us that persistence isn't a folder in /AppData; it's a modification of the DXE (Driver Execution Environment).

2. The Logic of the DXE Injector

LoJax worked by injecting a malicious DXE driver into the UEFI firmware image. During the boot process, this driver would execute, drop a file into the Windows System32 directory, and ensure that even if you swapped the SSD, the malware would re-infect the new drive on the next boot. To respect the craft, look at the logic of how they hooked the file system. They didn't write a full NTFS driver; they stole one, reportedly from the Hacking Team leak.

// Conceptual logic of a UEFI DXE Callback used by LoJax-style rootkits
EFI_STATUS EFIAPI MaliciousDxeEntry(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable) {
    // 1. Locate the NTFS File System Protocol
    Status = gBS->LocateProtocol(&gEfiSimpleFileSystemProtocolGuid, NULL, (VOID**)&FileSystem);

    if (Status == EFI_SUCCESS) {
        // 2. Open the volume and drop the "Ghost" payload into the OS
        // This happens BEFORE the OS kernel even starts.
        DropPayloadToSystem32(FileSystem, L"\\Windows\\System32\\autoche.exe");
    }
      
    return EFI_SUCCESS;
}

3. The "autoche.exe" Swap

LoJax used a clever naming trick, dropping its agent as autoche.exe—missing the 'k' from the legitimate autochk.exe. By modifying the Session Manager\BootExecute registry key, the system would run the malicious ghost during every boot sequence. It was simple, elegant, and devastating.

The 2026 Verdict: Respect the Bare Metal

We spend a lot of time on GhostInThePrompt.com talking about AI and Game Theory, but LoJax is a reminder that the Old Gods of firmware hacking still demand our respect. You can have the best AI-driven EDR in the world, but if your SPI flash is writable, the EDR is just a puppet. In 2026, the LoJax legacy lives on in every Secure Boot bypass and every BlackLotus bootkit. We pay respect to those who came before us by remembering the cardinal rule of the Ghost: if you can't trust the BIOS, you can't trust the reality of the machine.

GhostInThePrompt.com // Root is deep. Firmware is deeper.

References: 'LOJAX: First UEFI rootkit found in the wild' (ESET Research, 2018).

Continue Reading

security

Game Theory and the $k_{atk}$ of 2026

Security isn't a state of being; it's a rate of change. Mapping the shift from static exploit costs to the generative, stochastic war of 2026 where your budget is losing to algorithmic agility.

security

Malware Development for Ethical Hackers: To Catch a Wolf

To catch a wolf, you must learn to hunt in its skin. Analyzing Zhassulan Zhussupov's comprehensive guide to evasion, persistence, and the 'ethical' logic of writing the enemy's code yourself.