CosmicStrand: Getting Down to the Root of the Problem

How do you rid your computer of a rootkit that tunnels its way into the lowest levels of your motherboard firmware and won’t be evicted even if you reinstall your operating system or totally wipe your hard drive? That’s a great question.

CPU chip on Motherboard – abstract 3D render of a processor computer chip on a cicuit board with microchips. Dark background with electrical circuit board silhouette and virtual digital cloud technology symbol. 3D illustration

Kaspersky researchers discovered the “CosmicStrand” rootkit and it does exactly that. Accredited to a Chinese-speaking threat actor, this technically challenging piece of malware is no simple rootkit. CosmicStrand is stealthy and highly persistent because its code is stored deep in the UEFI, undetectable by most security programs (who aren’t accustomed to checking there). Before the primary operating system launches and takes control, all hardware components of a computer must be initialized and configured using the drivers contained in the firmware. While BIOS rootkits were once rather widespread, the UEFI has greater security safeguards, making UEFI malware extremely uncommon.

Creating a rootkit like CosmicStrand is technically challenging and requires exact programming; any errors pose a risk of crashing the victim’s machine (which is neither subtle nor recommended when trying to get the most out of your malware.) So far, victims have been identified in China, Russia, Vietnam and Iran.

According to researchers, it all begins with a process that implants the rootkit in the UEFI. Researchers suspect this is via a combination of local access and vulnerability exploit, but haven’t confirmed this yet. The next step is propagating malicious code execution all the way down to the Windows kernel during the OS booting process (hooking function after function to get there). CosmicStrand checks the computer’s internet connectivity after waiting 10 minutes to let other Windows components start. It creates a connection to its C2 (command-and-control) server and downloads code in 528-byte chunks that are then assembled into shellcode and loaded into the kernel. 

According to, the only way to remove it is to reflash the UEFI, which is stored in its own dedicated SPI flash memory chip. 

Stay safe, stay secure, stay patched. Take a risk assessment today with Centraleyes

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start automating your risk management
Skip to content