Traditional security programs won't even realize that the system has been compromised.
Malware analyst Li Beaming, known by the pseudonym Seeker, has published detailed research notes on the MoonBounce implant and its operation at the UEFI firmware level. The paper focuses on the DXE Core—a key component of the boot architecture that manages the launch of all subsequent modules during the DXE phase and effectively acts as the "operating system" within the firmware.
The research is based on an analysis of how MoonBounce is injected directly into the DXE Core executable code. Instead of creating a separate module, the malicious logic is embedded into existing functions, allowing it to intercept critical stages of the system boot process. Specifically, the author describes the mechanism of inline hooks in EFI services, through which the implant gains control over memory allocation, event handling, and the transition from the firmware to the operating system bootloader.
Particular attention was paid to the versatility of the attack scheme. MoonBounce is capable of adapting to various boot scenarios—both those using CSM compatibility mode and those in a pure UEFI environment. In one case, control is transferred via legacy boot events, while in the other, it is by intercepting the transition point from the firmware to the operating system kernel. This makes the implant resilient to various system configurations and architectures.
The study emphasizes that such an architecture requires a deep understanding of the internal logic of UEFI and trust points within the boot process. MoonBounce essentially embeds its logic into the firmware execution core itself, gaining access to system control even before drivers and OS components are launched. This approach significantly complicates threat detection and analysis.
Li Biaoming builds on previously published materials from the Kaspersky Lab team and Binarly , which link MoonBounce to the APT41 group , also known as Winnti. His notes don't repeat technical reports, but rather supplement them with a conceptual analysis of the attack architecture and the DXE Core implementation logic, demonstrating how modern firmware implants are evolving and why they are becoming increasingly difficult to detect and neutralize.
Malware analyst Li Beaming, known by the pseudonym Seeker, has published detailed research notes on the MoonBounce implant and its operation at the UEFI firmware level. The paper focuses on the DXE Core—a key component of the boot architecture that manages the launch of all subsequent modules during the DXE phase and effectively acts as the "operating system" within the firmware.
The research is based on an analysis of how MoonBounce is injected directly into the DXE Core executable code. Instead of creating a separate module, the malicious logic is embedded into existing functions, allowing it to intercept critical stages of the system boot process. Specifically, the author describes the mechanism of inline hooks in EFI services, through which the implant gains control over memory allocation, event handling, and the transition from the firmware to the operating system bootloader.
Particular attention was paid to the versatility of the attack scheme. MoonBounce is capable of adapting to various boot scenarios—both those using CSM compatibility mode and those in a pure UEFI environment. In one case, control is transferred via legacy boot events, while in the other, it is by intercepting the transition point from the firmware to the operating system kernel. This makes the implant resilient to various system configurations and architectures.
The study emphasizes that such an architecture requires a deep understanding of the internal logic of UEFI and trust points within the boot process. MoonBounce essentially embeds its logic into the firmware execution core itself, gaining access to system control even before drivers and OS components are launched. This approach significantly complicates threat detection and analysis.
Li Biaoming builds on previously published materials from the Kaspersky Lab team and Binarly , which link MoonBounce to the APT41 group , also known as Winnti. His notes don't repeat technical reports, but rather supplement them with a conceptual analysis of the attack architecture and the DXE Core implementation logic, demonstrating how modern firmware implants are evolving and why they are becoming increasingly difficult to detect and neutralize.
