Glupteba Malware Evolves with Stealthy UEFI Bootkit

The Glupteba botnet, renowned for its multifaceted capabilities as an information stealer and backdoor, has reached a new level of sophistication with the incorporation of an undocumented Unified Extensible Firmware Interface (UEFI) bootkit.

This feature enables Glupteba to exert control over the operating system boot process, granting it stealthy persistence that is exceptionally challenging to detect and remove. Beyond its bootkit functionality, Glupteba boasts diverse functionalities, including cryptocurrency mining, proxy component deployment, credential and credit card data theft, ad fraud, and router exploitation for remote administrative access.

The malware’s resilience is further enhanced by its use of the Bitcoin blockchain as a backup command-and-control system. Notably, Glupteba is distributed through complex infection chains orchestrated via pay-per-install (PPI) services like Ruzki, leveraging multiple malware families such as PrivateLoader, SmokeLoader, RedLine Stealer, and Amadey. This intricate distribution network highlights the collaborative and monetization strategies employed by cybercriminals to achieve widespread infections.


The addition of a UEFI bootkit reflects Glupteba’s ongoing evolution and adaptation, making it a prominent example of the sophistication demonstrated by modern cyber threats.The utilization of the Bitcoin blockchain for command-and-control operations further complicates efforts to dismantle the botnet.

Glupteba’s evolution exemplifies the relentless innovation driving the arms race between cyber attackers and defenders.