CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability

First reported
Last updated
πŸ“° 3 unique sources, 3 articles

Summary

Hide β–²

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.

Timeline

  1. 12.09.2025 14:50 πŸ“° 3 articles Β· ⏱ 5d ago

    HybridPetya Ransomware Samples Uploaded to VirusTotal

    Researchers have discovered that HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The ransomware's ability to persist on a system even if the operating system is reinstalled or the hard drive is wiped. HybridPetya mirrors NotPetya’s ability to cause significant system disruption but also allows operators to reconstruct the victim's decryption key and recover their data. The article also highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level, mentioning at least three other publicly known examples of similar malware: BlackLotus, Bootkitty, and Hyper-V Backdoor.

    Show sources

Information Snippets

Similar Happenings

SEO Poisoning Campaign Targets Chinese Users with HiddenGh0st, Winos, and kkRAT

A sophisticated SEO poisoning campaign targets Chinese-speaking users with malware, including HiddenGh0st, Winos, and kkRAT. The attackers manipulate search rankings to distribute trojanized installers for popular software, leading to the deployment of remote access trojans (RATs). The malware employs various techniques to evade detection and achieve persistence, including anti-analysis checks, DLL side-loading, and TypeLib COM hijacking. The campaign aims to establish command-and-control communication, monitor user activity, and steal sensitive information. The attackers use fake software sites and GitHub Pages to distribute malware. The malware is designed to disable antivirus software and achieve persistence through scheduled tasks and registry modifications. The campaign has been active since at least May 2025 and involves multiple malware families, including kkRAT, which shares code similarities with Gh0st RAT and Big Bad Wolf.

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Tools

The Gentlemen ransomware gang uses a vulnerable driver to evade detection and disable security products in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack, leveraging the ThrottleStop.sys driver to terminate antivirus and EDR processes. The ransomware has been observed since this summer and demonstrates advanced capabilities, including tailored bypasses for specific security vendors. The vulnerability (CVE-2025-7771) was discovered by Kaspersky researchers during a ransomware incident in Brazil. The Gentlemen ransomware uses ThrottleBlood.sys, a renamed version of the legitimate ThrottleStop.sys driver, to exploit the vulnerability and gain kernel-level access. The ransomware also employs All.exe and Allpatch2.exe, which are AV killers designed to terminate security software and disable protective services. The group has shifted from generic attacks to more customized and targeted approaches, adapting their tactics based on the security defenses of their targets. They use PowerRun.exe for privilege escalation and to bypass security products.

EvilAI Malware Campaign Targets Multiple Sectors Globally

A threat actor, tracked as EvilAI, is using AI-enhanced malware disguised as legitimate productivity and AI-enhanced apps to target organizations in various sectors worldwide. The malware is spread rapidly across multiple regions, including the US, India, the UK, Germany, France, and Brazil. The malware features realistic functionality and stealthy payload delivery, making it difficult to detect with traditional antivirus tools. The campaign uses digital signatures from newly registered entities to lend authenticity to the malicious apps. Once installed, the malware performs extensive reconnaissance, disables security products, and sets the stage for future exploit activities. The malware is likely being used by an initial access broker (IAB) to gain initial access and establish persistence.

Vidar Infostealer Campaigns Employ New Obfuscation Techniques

Vidar infostealer, active since 2018, has returned with enhanced stealth and persistence. This new campaign, identified by Aryaka, uses encrypted C2 channels, LOLBins, and covert exfiltration methods. Vidar spreads via phishing, malicious websites, and malvertising, targeting credentials, OS details, cookies, and financial data. The malware employs sophisticated evasion techniques, including PowerShell scripts, Windows Defender exceptions, and bypassing AMSI. It maintains persistence through scheduled tasks and hooks into the CryptProtectMemory API to access encrypted data. The C2 server uses TLS encryption for data exfiltration.