New HybridPetya Weaponizing UEFI Vulnerability to Bypass Secure Boot on Outdated Systems

In late July 2025, a series of ransomware samples surfaced on VirusTotal under filenames referencing the notorious Petya and NotPetya attacks.

Unlike its predecessors, this new threat—dubbed HybridPetya by ESET analysts—exhibited capabilities that extended beyond conventional userland execution, directly targeting UEFI firmware on vulnerable systems.

Through a specially crafted cloak.dat archive and the exploitation of CVE-2024-7344, HybridPetya achieves a Secure Boot bypass on outdated platforms, allowing it to install a malicious EFI application into the EFI System Partition.

HybridPetya’s emergence marks a significant evolution in bootkit design. The malware leverages a dual-component architecture: a Windows-based installer and an EFI bootkit.

Upon deployment, the installer locates the EFI System Partition, backs up legitimate bootloaders, drops a Salsa20-encrypted configuration file (EFIMicrosoftBootconfig), and plants an encrypted verification array (EFIMicrosoftBootverify).

A triggered BSOD then forces the system to reload through the compromised bootloader, activating the EFI component at next startup.

ESET researchers identified that HybridPetya supports both legacy and UEFI systems; however, its true innovation lies in bypassing UEFI Secure Boot via the CVE-2024-7344 vulnerability.

In affected systems lacking Microsoft’s January 2025 dbx update, the malicious reloader.efi application masquerades as a trusted Microsoft-signed binary.

When executed, it treats the accompanying cloak.dat file as a legitimate payload, loading and executing the XOR-obfuscated EFI bootkit without signature verification.

This technique mirrors the exploitation method detailed by ESET in earlier advisory reports, albeit weaponized within a ransomware framework.

Once the EFI bootkit gains control during the pre-OS phase, it reads its configuration and encryption flag.

If the flag is set to “ready for encryption,” the bootkit extracts the Salsa20 key and nonce, rewrites the configuration flag, and encrypts the NTFS Master File Table (MFT) on all detected partitions.

During this process, a deceptive CHKDSK-like progress message is displayed to the victim, masking the malicious activity.

After encryption completes, the system reboots, presenting a NotPetya-style ransom note.

Infection Mechanism and Persistence

HybridPetya’s infection mechanism hinges on the interplay between its Windows installer and UEFI bootkit.

The installer begins by calling the native API NtRaiseHardError to induce a shutdown, ensuring the malicious bootloader will execute on restart:-

NtRaiseHardError(STATUS_HOST_DOWN, 0, 0, NULL, OptionShutdownSystem, &Response);

This crash trick guarantees that the UEFI component runs under Secure Boot enforcement—or, in the case of outdated systems, bypassed Secure Boot.

Upon reboot, the EFI application locates EFIMicrosoftBootconfig, examines the encryption flag, and branches into encryption or decryption logic.

For decryption, the victim must input a 32-character key; the EFI bootkit then decrypts the verify file and, if the plaintext matches a series of 0x07 bytes, proceeds to restore the MFT and legitimate bootloaders from their .old backups.

By embedding this persistence directly into the firmware layer, HybridPetya ensures the ransomware cannot be removed by standard OS-level remediation tools, elevating its resilience and framing it as a milestone in firmware-targeted threats.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.