IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Researchers uncover 'mysterious' Windows rootkit being actively exploited since 2016

Experts at Kaspersky say the rootkit was found embedded inside the firmware image of legacy Asus and Gigabyte motherboards

A mysterious and powerful rootkit has been uncovered that is said to have remained hidden and exploited in attacks since 2016.

Dubbed ‘CosmicStrand’, Kaspersky researchers said the UEFI rootkit was found on a number of victims’ machines across China, Russia, Iran, and Vietnam.

The malicious rootkit was found on Asus and Gigabyte motherboards that shared the H81 chipset, released between 2013 and 2015, indicating there may be a common vulnerability across this equipment which has largely been discontinued.

UEFI malware is not too common, but there has been a slight increase in attacks in recent years, with more research uncovering campaigns such as MoonBounce and LoJax.

Kaspersky predicts attacks of this nature will increase in the years to come, as does the US government which, in February 2022, published a report detailing how the rise of UEFI malware was “an alarming trend” and such attacks seen in the wild “were previously only theoretical”.

Rootkits are an attractive tool for attackers because they are particularly difficult to locate and research, being embedded inside a motherboard’s firmware image. Because of this, they afford attackers significant capabilities thanks to a low risk of detection. It's likely that the computer will be infected with the rootkit forever, the report read.

The researchers were unable to determine how the victims initially became infected, but previous research from Qihoo360 on an early variant discovered in 2017 alleged that a victim may have bought an infected motherboard from a second-hand merchant, though this has not been confirmed.

The researchers added that creating a rootkit of this quality is especially difficult, largely because a UEFI execution context terminates before Windows is loaded, making it harder for the UEFI code to be transposed into Windows.

The experts suggested it’s even more intriguing that the victims seemed to be private individuals, not tied to any organisation or industry, given the technical expertise required to build it.

Typically developers of malware would target high-value individuals in order to exfiltrate information, or deploy payloads such as ransomware in financially-driven campaigns.

Diagram of CosmicStrand's infection chain

CosmicStrand's infection chain


The kernel-level implant deploys a malicious component in Windows every time the operating system (OS) loads. After the infection chain is complete and the implant is connected to the cyber criminal’s C2 infrastructure, attackers can then feed malicious code to assemble into shellcode.

Kaspersky said it was able to capture and analyse an example of this shellcode but it believes many more exist that it wasn’t able to find.

From its analysis, the code appeared to attempt to create a new user on the victim’s machine. The researchers said it can be inferred from the shellcodes that they might be stagers for attacker-supplied portable executables - a Windows file format that wraps executable code, dynamic link libraries (DLLs) and other code for later use.

Related Resource

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Whitepaper cover with title on shaded pink/purple backgroundFree Download

The researchers said they are not certain regarding whom or what group they can attribute the attack to, but there is evidence to suggest a Chinese-speaking threat actor could be behind it.

The main reason Kaspersky believes a Chinese-speaking attacker could be behind it is the similarity in some code snippets between CosmicStrand and the MyKings botnet. Found in 2020 by ESET, the researchers said at the time they noticed several artefacts showing the Chinese language.

CosmicStrand and MyKings use the same MBR rootkit to establish persistence, both generate network packets in the same way and the API hashing code is also identical. The algorithm used here has only been observed twice by Kaspersky - in MoonBounce and xTalker - both of which are tied to Chinese-speaking threat actors, it said.

“The multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later,” said the researchers.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016… this discovery begs a final question: if this is what the attackers were using back then, what are they using today?”

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download


Hackers could use new Wslink malware in highly targeted cyber attacks

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?

Should you take your password manager off the internet?

28 Jul 2022