Jump to content

Novel rootkit spyware

Recommended Posts

Posted (edited)

this is some novel spyware undetectable by all av.

its is very persistent spyware survive external bios flash,  disk replacement.

targeting arm64 x86  architecture and all operating systems linux, macos including m1, windows ,android , ios .

spread by some zero day exploits ble, usb , smb .


in usb case it spread by exploiting, abusing  iso 9660 joliet format misplace files . so the usb become a dud and open insertion it flash some firmware bypassing all current antivirus detections.

it escalate privileges in user mode and also flash various bios firmwares asus lenovo etc.. , replace host system by virtual machine. for m1 macbooks its using m1n1 bootloader and asahi linux as hypervisor. in windows systems its using hyper-v as hypervisor. it install windows server functionalities and setup domain policies azure ad... and is also using "system Application Compatibility Toolkit" with many rules to protect against detections beside group policies and ring0 hooks.

functionalities are many ip traffic monitoring , keyboard loggin and many more. in some cases in user mode it use many third parties rmm systems and sometimes some junk code.


hypervisor memory footprint across all system is maximum 500mb.

this is dumped windows 11 arm64 from installation iso in with replaced and inserted files from the spyware.

interesting files are .efi's, as it replace original windows boot files . for linux's it replace grub files. 


also i would advise against loading in oracle virtualbox it seems to escape virtualbox latest vesions.






Edited by Berny
Link disabled
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

  • Create New...