12.09.2025
2 min
495
Researchers have discovered a new variant of the malware — HybridPetya, which combines the features of the infamous Petya/NotPetya and the ability to bypass UEFI Secure Boot through the CVE-2024-7344 vulnerability. This makes the attack much more dangerous, as it is launched before the operating system starts.
HybridPetya consists of two key components: a bootkit and an installer. The bootkit can operate in three states: “ready to encrypt”, “encrypted” and “decrypted after paying the ransom”.
Once launched, it encrypts the Master File Table (MFT) on NTFS partitions using the Salsa20 algorithm, and also creates a counter file to track encrypted clusters. At this time, a fake CHKDSK message appears on the victim’s screen, which masks the encryption process.
If an already encrypted drive is detected, HybridPetya displays a demand to pay $1,000 in Bitcoin. After entering the correct key, the bootkit restores backup copies of the system bootloaders and starts the decryption process.
Variants of HybridPetya were uploaded to VirusTotal back in February 2025. ESET researchers found that attackers exploited the CVE-2024-7344 vulnerability in the Howyar Reloader UEFI program. Through it, malicious code could be loaded from the *cloak.dat* file without checking its integrity, effectively bypassing Secure Boot.
Importantly, HybridPetya differs from NotPetya in that it allows for the recovery of the decryption key, i.e. it is not purely destructive. At the same time, it joins a small group of malicious UEFI bootkits, similar to BlackLotus and BootKitty, demonstrating the growing interest of attackers in the early stage of system boot.
The discovery of HybridPetya shows that UEFI-level attacks are no longer a rarity. They are becoming increasingly accessible to both researchers and cybercriminals. Because this type of malware runs before the OS boots, it is able to bypass antivirus solutions and remain resistant to removal. This means that enterprises need to pay more attention to monitoring low-level threats and regularly updating firmware.
