BOOTKITTY: A Stealthy Bootkit-Rootkit Against Modern Operating Systems

Bootkits and rootkits are among the most elusive and persistent forms of malware, subverting system defenses by operating at the lowest levels of system architecture. Bootkits compromise the firmware or bootloader, allowing them to manipulate the boot sequence and gain control before security mechanisms initialize. Meanwhile, rootkits embed themselves within the OS kernel, stealthily conceal malicious activities, and maintain long-term persistence. Despite their critical implications for security, these threats remain underexplored due to the technical complexity involved in their study, the scarcity of real-world samples, and the challenges posed by defense-in-depth security in modern OSes.

In this paper, we introduce BOOTKITTY, a hybrid bootkit-rootkit capable of circumventing modern security features in multiple OS platforms, across Windows, Linux, and Android. We explore critical firmware and bootloader vulnerabilities that can lead to a low-level compromise, demonstrating techniques that bypass advanced security protections by breaking the chain of trust. Our study addresses technical challenges such as exploiting UEFI drivers, manipulating kernel memory, and evading advanced mitigations in the boot process, and provides actionable insights. Our systematic evaluations show that BOOTKITTY reveals critical weaknesses in contemporary security mechanisms, highlighting the need for better security design that offers holistic (low-level) protection.