What starting position does this attack require?

The first step is Admin shell / live USB foothold (T1078) — a initial access primitive. Assumed environment: target endpoint has a vulnerable UEFI image parser (most major OEMs were vulnerable until 2024 patches).

What is the final impact of this kill-chain?

The final step lands on Install bootkit (BlackLotus / MoonBounce class) (FW-BOOTKIT), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

LogoFAIL → UEFI bootkit → persistent ring-0

Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Initial Access

Admin shell / live USB foothold

T1078 · Valid Accounts

Persistence

Reboot triggers boot-logo parser

T1547 · Boot or Logon Autostart Execution

Defense Evasion

Survives wipe + reinstall

T1027 · Obfuscated Files or Information

Initial Access

Drop malicious logo image into ESP

FW-LOGOFAIL · LogoFAIL (UEFI Image Parser RCE)

Defense Evasion

Pre-OS RCE before SecureBoot verifies

FW-SECUREBOOT-BYPASS · SecureBoot Bypass

Persistence

Install bootkit (BlackLotus / MoonBounce class)

FW-BOOTKIT · UEFI Bootkit Persistence

§ Context

Assumed environment: target endpoint has a vulnerable UEFI image parser (most major OEMs were vulnerable until 2024 patches). Attacker has user-level write access to the EFI partition (admin / live USB).

§ Steps

01
Admin shell / live USB footholdInitial Access
T1078— Valid Accounts
02
Reboot triggers boot-logo parserPersistence
T1547— Boot or Logon Autostart Execution
03
Survives wipe + reinstallDefense Evasion
T1027— Obfuscated Files or Information
04
Drop malicious logo image into ESPInitial Access
FW-LOGOFAIL— LogoFAIL (UEFI Image Parser RCE)
05
Pre-OS RCE before SecureBoot verifiesDefense Evasion
FW-SECUREBOOT-BYPASS— SecureBoot Bypass
06
Install bootkit (BlackLotus / MoonBounce class)Persistence
FW-BOOTKIT— UEFI Bootkit Persistence

§ References

§ Frequently asked

What is the "LogoFAIL → UEFI bootkit → persistent ring-0" attack path?: Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Admin shell / live USB foothold (T1078) — a initial access primitive. Assumed environment: target endpoint has a vulnerable UEFI image parser (most major OEMs were vulnerable until 2024 patches).
What is the final impact of this kill-chain?: The final step lands on Install bootkit (BlackLotus / MoonBounce class) (FW-BOOTKIT), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

LogoFAIL → UEFI bootkit → persistent ring-0

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

LaunchDaemon persistence as root

Process doppelgänging → spawn signed image with attacker bytes

Cross-chain bridge validator-set bypass → mint wrapped tokens