HybridPetya ransomware bootkit and Secure Boot bypass activity
Malware Activity
Summary
Hide ▲
Show ▼
HybridPetya is a ransomware bootkit that targets UEFI-based Windows systems by installing a malicious EFI application on the EFI System Partition and encrypting the NTFS Master File Table. Researchers said some variants can exploit CVE-2024-7344 in the Howyar Reloader UEFI application to bypass UEFI Secure Boot, and the malware uses files such as `\EFI\Microsoft\Boot\verify`, `\EFI\Microsoft\Boot\counter`, `\EFI\Boot\bootx64.efi`, `\EFI\Microsoft\Boot\bootmgfw.efi`, and `cloak.dat`. The sample seen by ESET on VirusTotal appears inspired by Petya/NotPetya, shows a fake CHKDSK-style screen during encryption, and demands $1,000 in Bitcoin. Telemetry cited in the reporting shows no evidence in the wild, and Microsoft says systems patched with the January 2025 Patch Tuesday update or later are protected.
Related Happenings
Dragon Boss Solutions LLC adware malicious update
Malware Activity
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Google Drive ransomware detection reaches general availability and turns on by default
Security Tool/Service
First: 01.04.2026 09:35
Last: 01.04.2026 09:35
Sources 1
About this happening:
**Google Drive**'s **AI-powered ransomware detection** has reached **general availability** and is now **enabled by default** for paying users, expanding automatic protection for...
Google Drive ransomware detection reaches general availability and turns on by default
Security Tool/ServiceAbout this happening: **Google Drive**'s **AI-powered ransomware detection** has reached **general availability** and is now **enabled by default** for paying users, expanding automatic protection for...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
First: 19.03.2026 20:52
Last: 19.03.2026 20:52
Sources 1
About this happening:
**54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical AnalysisAbout this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
EDR killer abusing EnPortv.sys to disable 59 security tools
Malware Activity
First: 04.02.2026 16:17
Last: 04.02.2026 16:17
Sources 1
About this happening:
A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...
EDR killer abusing EnPortv.sys to disable 59 security tools
Malware ActivityAbout this happening: A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...
Timeline
-
12.09.2025 14:50 4 articles · 8mo ago
HybridPetya ransomware bootkit disclosure
Initial DisclosureHybridPetya is a newly identified ransomware strain that resembles Petya/NotPetya, uses a bootkit and installer to target UEFI-based Windows systems, and can encrypt the NTFS Master File Table through a malicious EFI application on the EFI System Partition. Select variants can exploit CVE-2024-7344 in the Howyar Reloader UEFI application to bypass UEFI Secure Boot, and the recovered artifacts include a ransom flow demanding $1,000 in Bitcoin, a fake CHKDSK-style screen, and files such as \EFI\Microsoft\Boot\verify, \EFI\Microsoft\Boot\counter, \EFI\Boot\bootx64.efi, \EFI\Microsoft\Boot\bootmgfw.efi, and cloak.dat; telemetry shows no evidence of in-the-wild use, and Microsoft revoked the vulnerable binary in the January 2025 Patch Tuesday update.
Show sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit — thehackernews.com — 12.09.2025 14:50
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit — thehackernews.com — 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot — www.bleepingcomputer.com — 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59