← All drivers
malicious
Driver

0x3440_blacklotus_v2_driver.sys

BlackLotus UEFI bootkit driver (v2)

From Unknown criminal threat actor
Part of the BlackLotus family
Status
On a known malicious list
Known variants
1 distinct hashes
Public CVEs
2
Field notes

This is a catalog name for the kernel driver component of BlackLotus, the first publicly documented UEFI bootkit capable of bypassing Secure Boot on fully patched Windows 11 systems. BlackLotus appeared on criminal forums in October 2022 for $5,000 and was analyzed by ESET in March 2023.

BlackLotus exploits CVE-2022-21894 ("Baton Drop"), a Secure Boot bypass. Although Microsoft patched the vulnerability in January 2022, the affected boot manager binaries were not added to the UEFI revocation list, so attackers can deploy their own copies. Once loaded, the bootkit disables BitLocker, HVCI (Hypervisor-protected Code Integrity), and Windows Defender, then deploys a kernel driver for persistence and an HTTP downloader for command-and-control.

Microsoft, CISA, and the U.S. Department of Defense have all published mitigation guidance. Microsoft issued additional fixes under CVE-2023-24932 and extended boot manager revocation patching through 2024.

Not a legitimate vendor driver. The filename is researcher-assigned; the actual in-the-wild filenames may differ. Presence indicates a firmware-level compromise. If found, escalate to incident response.

What the record shows

0x3440_blacklotus_v2_driver.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Related drivers

Other drivers in the BlackLotus family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “0x3440_blacklotus_v2_driver.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/0x3440-blacklotus-v2-driver-sys