UEFI Rootkit - what it is, why it’s dangerous, and how to spot and recover from it

UEFI Rootkit

What it is

A UEFI rootkit is malware that hides inside a computer’s firmware - the low-level code that starts your PC before Windows loads. Because it lives in the UEFI (which replaces old BIOS), it can run first at every boot, stay hidden from normal scans, and even survive wiping or reinstalling Windows.

Why it matters

If attackers own the firmware, they can control what loads next, hide other malware, and bring it back after you think you cleaned the PC. It’s one of the hardest infections to spot and remove.

How it works 

  • Break in: attacker gets admin rights through a bug, phishing, or a bad driver/loader.

  • Plant: malicious code is written to the UEFI firmware or its boot files.

  • Boot first: on power-up, the rootkit runs before Windows and hides itself.

  • Assist: it launches or reinstalls other malware with high privileges.

Red flags

  • Malware keeps returning after a full Windows reinstall.

  • Secure Boot gets disabled without you doing it.

  • Unknown or unsigned drivers appear; security tools crash or won’t start.

  • Odd boot errors or firmware updates that fail repeatedly.

Do it right

  • Keep firmware (UEFI), drivers, and Windows fully updated; enable Secure Boot and TPM.

  • Only install drivers/software from trusted sources; avoid unsigned drivers.

  • Use reputable security tools with boot-level integrity checks.

  • If you strongly suspect a UEFI compromise: back up files, update/reflash the firmware from the motherboard or device maker, then do a clean Windows install and change passwords from a clean device.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Rootkit

        What it is A rootkit is malware built to hide itself (and other malware) while giving an attacker high-level control of a system. It can live in user space, the kernel, the boot process (bootkit), or even device firmware. Once installed, it can mask ...

      • NDR (Network Detection And Response)

        What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • XDR (Extended Detection and Response)

        What it is XDR is a security system that watches your company’s devices, email, cloud, and network together and connects the dots. Instead of separate tools, XDR pulls all the signals into one place, spots attacks faster, and can auto-block bad ...

      • XMRig Malware

        What it is XMRig malware is a cryptominer that sneaks onto your PC and secretly mines the Monero (XMR) cryptocurrency using your CPU/GPU. You’ll notice slower performance, hot fans, and higher power bills while attackers collect the coins. It often ...