Glupteba Botnet Avoids Detection with Undocumented UEFI Bootkit

February 13, 2024NewsroomCryptocurrency / Rootkit

Glupteba Botnet

the Glupteba The botnet was found to include a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature, adding another layer of sophistication and stealth to the malware.

“This bootkit can intervene and control the (operating system) boot process, which enables Glupteba to hide itself and create a hidden persistence that can be very difficult to detect and remove,” the Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik SAYS in an analysis on Monday.

Glupteba is a fully featured information stealer and backdoor capable of facilitating illicit cryptocurrency mining and deploying proxy components on infected hosts. It is also known to use the Bitcoin blockchain as a backup command-and-control (C2) system, making it resilient to takedown efforts.

Some of its other functions allow it to deliver additional payloads, siphon credentials, and credit card data, commit ad fraud, and even exploit routers to obtain credentials and remote administrative access. -access.


Over the past decade, modular malware has become a sophisticated threat that uses elaborate multi-stage infection chains to evade detection by security solutions.

A November 2023 campaign observed by the cybersecurity firm involved the use of pay-per-install (PPI) services such as Ruzki to distribute Glupteba. In September 2022, Sekoia linked Ruzki to activity clusters, using PrivateLoader as a conduit to spread the next stage of malware.

This takes the form of massive phishing attacks where PrivateLoader is delivered under the guise of installation files for cracked software, which then loads SmokeLoader which, in turn, launches RedLine Stealer and Amadey, which the latter finally dropped Glupteba.

Glupteba Botnet

“Threat actors often distribute Glupteba as part of a complex infection chain that spreads multiple malware families at the same time,” the researchers explained. “This infection chain often starts with a PrivateLoader or SmokeLoader infection that loads other malware families, then loads Glupteba.”

In a sign that the malware is actively maintained, Glupteba has been equipped with a UEFI bootkit by including a modified version of an open-source project called EfiGuardwhich enables disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time.

It is worth pointing out that earlier versions of the malware were found to “install a kernel driver that the bot uses as a rootkit, and make other changes that weaken the security posture of an infected host.”


“The Glupteba malware continues to stand as an outstanding example of the complexity and adaptability displayed by modern cybercriminals,” the researchers said.

“The identification of an undocumented UEFI bypass technique within Glupteba highlights this malware’s capacity for innovation and evasion. In addition, with its role in the distribution of Glupteba, the PPI ecosystem promotes collaboration and monetization strategies used by cybercriminals in their attempts at mass infections.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment