S0397: LoJax
Analyst context for executives and security teams
LoJax matters because it represents persistence below the normal operating-system layer: a Windows-targeted UEFI rootkit used to keep remote access software present on selected systems. For leaders, the key issue is not volume but recoverability—standard reimaging or endpoint cleanup may be insufficient if firmware-level persistence is in scope.
Executive priority
Treat this as a high-consequence resilience and incident-response planning issue rather than a routine malware cleanup scenario. Executives should ask whether the organization can validate firmware integrity, preserve evidence, rebuild trusted hosts, and document recovery decisions for audit or regulatory review. Its relationship to APT28 increases threat-intelligence relevance, but local exposure and prioritization should be based on asset criticality, Windows endpoint fleet risk, and existing firmware/boot-chain control maturity.
Technical view
ATT&CK provides no official detection text for LoJax, so SOC and IR teams should validate coverage through the related behaviors: Rootkit, Modify Registry, System Firmware, Registry Run Keys / Startup Folder, and NTFS File Attributes. Practical validation should focus on Windows hosts where firmware persistence, registry-based persistence, startup execution, hidden NTFS content, and rootkit-like concealment could overlap. Incident responders should avoid assuming OS-level remediation is complete when UEFI/system firmware modification is plausible.
Likely telemetry
- Windows Registry modification evidence, especially persistence-related keys and startup locations
- Windows startup folder and autorun execution evidence
- Endpoint file-system telemetry that can expose unusual NTFS attributes or alternate data storage indicators
- Firmware, BIOS, UEFI, or boot-chain integrity evidence where available
- Endpoint security alerts or forensic evidence suggesting rootkit-like hiding of files, services, drivers, network connections, or processes
Detection direction
- Because MITRE provides no LoJax-specific detection guidance, map detection engineering to the related ATT&CK techniques rather than relying on a single malware signature.
- Validate whether endpoint tooling can see registry persistence and startup execution on Windows systems, and whether administrative activity creates false positives that need baselining.
- Confirm whether the organization has any telemetry for UEFI/system firmware integrity; many SOC blind spots begin below the operating system.
- Review forensic readiness for NTFS file attributes and hidden data, since normal file listings may not be enough.
- Use the APT28 relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Prioritize firmware and boot-chain governance for critical Windows assets: inventory firmware state, control update processes, and define trusted rebuild procedures.
- Harden and monitor Windows persistence locations such as Registry run keys and startup folders, especially where administrator rights are required.
- Ensure IR playbooks include escalation paths for suspected rootkit or firmware persistence, including evidence preservation and criteria for hardware-level remediation.
- Reduce unnecessary administrative access because registry and firmware-related changes may depend on elevated permissions.
- Document detection gaps and compensating controls for compliance and executive risk acceptance where firmware telemetry is limited.
Analyst notes and limits
The supplied ATT&CK object identifies LoJax as a UEFI rootkit used by APT28 and links it to Windows and several persistence/stealth-related techniques. The business value is in validating recovery assumptions, firmware visibility, and whether endpoint controls can observe the related behaviors.
No official ATT&CK detection text, aliases, labels, or object-level tactics were supplied. This take does not assert current exploitation, customer exposure, or guaranteed detection. Local asset inventory, firmware telemetry, endpoint configuration, and incident evidence are required for environment-specific conclusions.
LoJax
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | LoJax has modified the Registry key |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.CitationESET LoJax Sept 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | LoJax has modified the Registry key |
| Enterprise | T1542.001 | System Firmware Sub-technique | LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.CitationESET LoJax Sept 2018 |
| Enterprise | T1014 | Rootkit | LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.CitationESET LoJax Sept 2018 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c602d6e67d70… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET LoJax Sept 2018
ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
Open source URL -
[2]
LoJax
(Citation: ESET LoJax Sept 2018)
-
[3]
mitre-attack S0397Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.