0x3440_blacklotus_v2_driver.sys
BlackLotus UEFI bootkit driver (v2)
This is a catalog name for the kernel driver component of BlackLotus, the first publicly documented UEFI bootkit capable of bypassing Secure Boot on fully patched Windows 11 systems. BlackLotus appeared on criminal forums in October 2022 for $5,000 and was analyzed by ESET in March 2023.
BlackLotus exploits CVE-2022-21894 ("Baton Drop"), a Secure Boot bypass. Although Microsoft patched the vulnerability in January 2022, the affected boot manager binaries were not added to the UEFI revocation list, so attackers can deploy their own copies. Once loaded, the bootkit disables BitLocker, HVCI (Hypervisor-protected Code Integrity), and Windows Defender, then deploys a kernel driver for persistence and an HTTP downloader for command-and-control.
Microsoft, CISA, and the U.S. Department of Defense have all published mitigation guidance. Microsoft issued additional fixes under CVE-2023-24932 and extended boot manager revocation patching through 2024.
Not a legitimate vendor driver. The filename is researcher-assigned; the actual in-the-wild filenames may differ. Presence indicates a firmware-level compromise. If found, escalate to incident response.
0x3440_blacklotus_v2_driver.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “0x3440_blacklotus_v2_driver.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/0x3440-blacklotus-v2-driver-sys
