ESET researchers have discovered HybridPetya, a bootkit-and-ransomware combo that’s a copycat of the infamous Petya/NotPetya malware, augmented with the capability of compromising UEFI-based systems and weaponizing CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems.
The sample was uploaded from Poland to the malware-scanning platform VirusTotal, and ESET telemetry shows no signs of the malware being used in the wild yet.
About HybridPetya
“Late in July 2025, we encountered suspicious ransomware samples under various filenames, including notpetyanew.exe and other similar ones, suggesting a connection with the infamously destructive malware that struck Ukraine and many other countries back in 2017,” says ESET researcher Martin Smolár, who made the discovery.
“The NotPetya attack is believed to be the most destructive cyberattack in history, with more than $10 billion in total damages. Due to the shared characteristics of the newly discovered samples with both Petya and NotPetya, we named this new malware HybridPetya.”
Unlike in the original NotPetya, the algorithm used by HybridPetya to generate the victim’s personal installation key allows the malware operator to reconstruct the decryption key from the victim’s personal installation keys. Thus, HybridPetya remains viable as regular ransomware – more like Petya.
HybridPetya’s execution logic (Source: ESET)
Additionally, HybridPetya is also capable of compromising modern UEFI-based systems by installing a malicious EFI application to the EFI System Partition. The deployed UEFI application is then responsible for encryption of the NTFS-related Master File Table (MFT) file – an important metadata file containing information about all the files on the NTFS-formatted partition.
“After a bit more digging, we discovered something even more interesting on VirusTotal: an archive containing the whole EFI System Partition contents, including a very similar HybridPetya UEFI application, but this time bundled in a specially formatted cloak.dat file, vulnerable to CVE-2024-7344 – the UEFI Secure Boot bypass vulnerability that our team disclosed in early 2025,” adds Smolár.
ESET publications from January 2025 purposely refrained from detailing the exploitation; thus, the malware author probably reconstructed the correct cloak.dat file format based on reverse engineering the vulnerable application on their own.
ESET telemetry shows no active use of HybridPetya in the wild yet; thus, HybridPetya may just be a proof of concept developed by a security researcher or an unknown threat actor. Furthermore, this malware does not exhibit the aggressive network propagation seen in the original NotPetya.
“HybridPetya is now at least the fourth publicly known example of a real or proof-of-concept UEFI bootkit with UEFI Secure Boot bypass functionality, joining BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200),” Smolár noted.
“This shows that Secure Boot bypasses are not just possible – they’re becoming more common and attractive to both researchers and attackers.”
Source link
