Bootkit: What it is, why it’s hard to spot, and how to remove it safely

Bootkit

What it is

A bootkit is stealthy malware that buries itself in the startup area of a PC (MBR/UEFI), so it runs before Windows. That early start lets it hide other malware, survive reboots, and dodge many on-device scans.

What you may notice

  • Odd boot behavior: extra delay, crashes, or unexpected reboot loops

  • Security tools disabled or detections that keep coming back after cleanup

  • BitLocker/Secure Boot warnings, or boot order changing on its own

How it works 

  • Infects the bootloader or firmware so code runs at power-on

  • Hooks low-level disk or OS functions to hide files and traffic

  • Can reinstall companion malware even after you think you removed it

If you suspect a bootkit (safe cleanup)

  1. Disconnect from the network; power down.

  2. Scan from outside Windows using a trusted bootable rescue media.

  3. Restore the boot chain: re-enable Secure Boot, repair boot records, or reinstall Windows if required.

  4. Update firmware/BIOS and drivers; then rescan.

  5. Change passwords from a clean device; watch accounts for alerts.

Prevent it

  • Keep Secure Boot on; prefer UEFI over legacy boot.

  • Update firmware/BIOS, OS, and drivers regularly.

  • Block booting from untrusted USB/DVD; set a BIOS/UEFI admin password.

  • Use reputable real-time protection and avoid cracked installers.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Malware

        What it is Malware is any software made to harm your device or data. It can steal passwords, lock your files, spy on activity, or hijack your browser. For a quick primer and examples, see our malware explainer. How it spreads Phishing emails and fake ...

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • Fileless Malware

        What it is Fileless malware runs from memory instead of dropping obvious files on your disk. It often abuses built-in tools (like PowerShell or WMI) and trusted apps, making it harder for traditional antivirus to spot. How it works You visit a ...

      • Data Breach Prevention

        Why it matters Breaches drain money, trust, and time. Strong basics turn scary “what ifs” into non-events: a phish gets ignored, a stolen password is useless, a lost laptop holds only encrypted gibberish. The short, smart checklist MFA everywhere: ...