There are two main sections in the article, an infographic and web links to researches, samples and sources. The Year column indicates the year of the malware's appearance or when the information became public, Infection refers to the disk entity to be infected (Master Boot Record, UEFI, Volume Boot Record), the detection names of three security vendors and the purpose of the payload.
eEye BootRoot: A Basis for Bootstrap-Based Windows Kernel Code
https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-soeder.pdf
Stealth MBR rootkit
http://www2.gmer.net/mbr/
✨Vboot Kit
https://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
✨Mebroot (Sinowal, Maosboot)
Your computer is now stoned (...again!)
https://archive.f-secure.com/weblog/archives/Kasslin-Florio-VB2008.pdf
From Gromozon to Mebroot - A Reflection on Rootkits Today
https://web.archive.org/web/20131026083019/http:/www.prevx.com/blog/119/From-Gromozon-to-Mebroot--A-Reflection-on-Rootkits-Today.html
Post mortem report on the sinowal/nu_nl incident
https://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/
Sinowal: MBR rootkit never dies!
https://web.archive.org/web/20130705231427/http://www.saferbytes.it/2012/06/06/sinowal-mbr-rootkit-never-dies-and-it-always-brings-some-new-clever-features/
MBR Rootkit, A New Breed of Malware
https://archive.f-secure.com/weblog/archives/00001393
Bootkit: the challenge of 2008
https://securelist.com/bootkit-the-challenge-of-2008/36235/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicfa5a.html?f=16&t=543
✨Stoned Bootkit
https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf
Sources
https://github.com/zhuyue1314/stoned-UEFI-bootkit?search=1
✨Mebratix
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic51bc.html?f=16&t=151
✨MBRLock
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic227f.html?f=16&t=507
✨TDL 4 (Tdss, Alureon.DX, Olmarik)
Alureon: The First In The Wild 64-Bit Windows Rootkit
https://www.virusbulletin.com/uploads/pdf/conference_slides/2010/Johnson-VB2010.pdf
TDSS. TDL-4
https://securelist.com/tdss-tdl-4/36339/
TDL4 rebooted
https://www.welivesecurity.com/2011/10/18/tdl4-rebooted/
TDL4 reloaded: Purple Haze all in my brain
https://www.welivesecurity.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain/
The Evolution of TDL: Conquering x64
https://web-assets.esetstatic.com/wls/200x/white-papers/The_Evolution_of_TDL.pdf
Defeating x64: The Evolution of the TDL Rootkit
https://www.slideshare.net/matrosov/defeating-x64-the-evolution-of-the-tdl-rootkit
Tidserv 64-bit Goes Into Hiding
https://web.archive.org/web/20231210203758/https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=cbf67446-35cc-4957-b42b-0a8299d487af&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
Backdoor.Tidserv and x64
https://web.archive.org/web/20130519145126/http://www.symantec.com/connect/blogs/backdoortidserv-and-x64
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicf210.html?f=16&t=19
✨MaxSS – TDL clone (Tdss, SST, Olmasco, Alureon.FE)
Olmasco bootkit: next circle of TDL4 evolution (or not?)
https://www.welivesecurity.com/2012/10/18/olmasco-bootkit-next-circle-of-tdl4-evolution-or-not-2/
TDSS Bootkit Spawns Clones
https://www.bitdefender.com/blog/labs/tdss-bootkit-spawns-clones/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicf0b4.html?f=16&t=596
✨PiXiEServ bootkit
https://j00ru.vexillium.org/2011/10/pixieserv-out-for-public/
https://www.kernelmode.info/forum/viewtopic3de0.html?f=11&t=2505
✨Mebromi (Bioskit, Wador)
Mebromi: the first BIOS rootkit in the wild
https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic1321.html?f=16&t=1125
✨Smitnyl
Analysis of MBR File System Infector
https://archive.f-secure.com/weblog/archives/00002101
A thread on km forum + samples
https://www.kernelmode.info/forum/viewtopicd975.html?f=16&t=750
Analysis of Smitnyl.A, the first hybrid bootkit and file infection
https://web.archive.org/web/20231003142928/https://sudonull.com/post/163414-Analysis-of-SmitnylA-the-first-hybrid-bootkit-and-file-infection
✨Popureb
MBR Confusion
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ebff36a-0740-415b-b820-f6e48b6af1e1&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
Don’t write it, read it instead!
https://www.techkings.org/threads/more-on-trojan-win32-popureb-dont-write-it-read-it-instead.26424/
Removing Popureb Doesn’t Require a Windows Reinstall
https://www.webroot.com/blog/2011/06/30/removing-popureb-doesnt-require-a-windows-reinstall/
POPUREB: Launchpad for Future Threats
https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/web-attack/107/popureb-launchpad-for-future-threats
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic75e3.html?f=16&t=968&start=0
✨Rovnix (Mayachok, Cidox, BKLoader)
Rovnix.D: the code injection story
https://www.welivesecurity.com/2012/07/27/rovnix-d-the-code-injection-story/
Rovnix bootkit framework updated
https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/
Rovnix Reloaded: new step of evolution
https://www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/
Cybercriminals switch from MBR to NTFS
https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs/29117/
Hasta La Vista, Bootkit: Exploiting the VBR
https://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Mayachok Hooks INT8 to Dodge Emulators
https://www.bitdefender.co.uk/blog/labs/mayachok-hooks-int8-to-dodge-emulators/
The evolution of Rovnix: Private TCP/IP stacks
https://blogs.iis.net/windowsserver/the-evolution-of-rovnix-private-tcp-ip-stacks
Cidox Trojan Spoofs HTTP Host Header to Avoid Detection
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cidox-trojan-spoofs-http-host-header-to-avoid-detection/
Rovnix new evolution
https://www.malwaretech.com/2014/05/rovnix-new-evolution.html
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic5a58.html?f=16&t=981
✨Carberp
Evolution of Win32Carberp: going deeper
https://www.welivesecurity.com/2011/11/21/evolution-of-win32carberp-going-deeper/
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
https://web-assets.esetstatic.com/wls/200x/Carberp-Evolution-and-BlackHole-public.pdf
Sources
https://github.com/hryuk/Carberp/tree/master/source%20-%20absource/pro/all%20source/bootkit
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicf82b.html?p=10206#p10206
✨XPAJ
XPAJ: Reversing a Windows x64 Bootkit
https://securelist.com/xpaj-reversing-a-windows-x64-bootkit/36563/
Xpaj - the bootkit edition
https://www.bitdefender.co.uk/blog/labs/xpaj-the-bootkit-edition/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic5ef8.html?f=21&t=2059
✨Yurn
Yurn trojan adds bootkit functionality
https://www.bitdefender.co.uk/blog/labs/yurn-trojan-adds-bootkit-functionality/
A thread on km
https://www.kernelmode.info/forum/viewtopic7df6.html?f=16&t=2083
✨Gapz
Trojan.Gapz.1 infecting Windows in a new manner
https://news.drweb.com/show/?i=2979&c=5&lng=en&p=0
Win32/Gapz: New Bootkit Technique
https://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/
Win32/Gapz: steps of evolution
https://www.welivesecurity.com/2012/12/27/win32gapz-steps-of-evolution/
Win32/Gapz family ring0 payload
https://inresearching.blogspot.com/2013/03/win32gapz-family-ring0-payload.html
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicbc00.html?f=16&t=2306
✨Guntior
Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers
https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e
Guntior Bootkit upgraded
https://zerosecurity.org/2013/06/guntior-bootkit-upgraded/
✨Whistler Bootkit
Whistler Bootkit Flies Under the Radar
https://www.bitdefender.co.uk/blog/labs/whistler-bootkit-flies-under-the-radar/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicfa77.html?f=16&t=2473
✨Halcbot
Bootkit that steals online game users’ account information
http://asec.ahnlab.com/328
Detailed analysis of Halcbot bootkit tampering with MBR
http://asec.ahnlab.com/5
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicfa67.html?f=16&t=2514
✨Caphaw
Caphaw attacking major European banks using webinject plugin
https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic3208.html?p=18527#p18527
✨Plite (PBBot, Gpb)
Plite Bootkit Spies on Gamers
https://www.bitdefender.co.uk/blog/labs/plite-rootkit-spies-on-gamers/
Trojan.GBPBoot.1 MBR infector
https://news.drweb.ru/show/?lng=ru&i=2927&c=9
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic0fe5.html?f=16&t=1666
✨Simda
WinNT/Simda
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=WinNT/Simda&threatId=
Win32/Simda family ring0 payload
https://inresearching.blogspot.com/2013/07/win32simda-family-ring0-payload.html
A thread on km + samples
https://www.kernelmode.info/forum/viewtopice0b7.html?p=19755#p19755
✨Gootkit
BackDoor.Gootkit.112
https://vms.drweb.com/virus/?i=3771317
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicabb9.html?f=16&t=3242
✨Sednit
En Route with Sednit: A Mysterious Downloader
https://web-assets.esetstatic.com/wls/2016/10/eset-sednit-part3.pdf
✨Pitou (Backboot)
Bootkits are not dead. Pitou is back!
https://www.tgsoft.it/news/news_archivio.asp?id=884
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic0dc7.html?f=16&t=3667
✨Hacking Team Vector EDK
https://github.com/hackedteam/vector-edk
✨LoJax
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
✨EfiGuard UEFI bootkit
https://github.com/Mattiwatti/EfiGuard
✨MosaicRegressor
MosaicRegressor: Lurking in the Shadows of UEFI
https://securelist.com/mosaicregressor/98849/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/07080558/MosaicRegressor_Technical-details.pdf
✨FinSpy (Finfisher)
FinSpy: unseen findings
https://securelist.com/finspy-unseen-findings/104322/
✨ESPecter
UEFI threats moving to the ESP: Introducing ESPecter bootkit
https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/
✨MoonBounce
MoonBounce: the dark side of UEFI firmware
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
A deeper UEFI dive into MoonBounce
https://www.binarly.io/blog/a-deeper-uefi-dive-into-moonbounce
✨BlackLotus
BlackLotus UEFI bootkit: Myth confirmed
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
BlackLotus bootkit
https://github.com/ldpreload/BlackLotus
The Untold Story of the BlackLotus UEFI Bootkit
https://www.binarly.io/blog/the-untold-story-of-the-blacklotus-uefi-bootkit
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
✨Glupteba
Diving Into Glupteba's UEFI Bootkit
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/
✨Other
Modern bootkit trends: bypassing kernel-mode signing policy
https://www.virusbulletin.com/conference/vb2011/abstracts/modern-bootkit-trends-bypassing-kernel-mode-signing-policy/
Bootkits: past, present & future
https://www.virusbulletin.com/conference/vb2014/abstracts/bootkits-past-present-amp-future/
Exposing Bootkits with BIOS Emulation
https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf
Attacks before system startup
https://securelist.com/attacks-before-system-startup/63725/
UEFI Firmware Rootkits: Myths and Reality
https://www.blackhat.com/docs/asia-17/materials/asia-17-Matrosov-The-UEFI-Firmware-Rootkits-Myths-And-Reality.pdf
Detecting UEFI Bootkits in the Wild
https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html
MosaicRegressor: Lurking in the Shadows of UEFI
https://securelist.com/mosaicregressor/98849/
Trickbot Now Offers «TrickBoot»: Persist, Brick, Profit
https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
DreamBoot UEFI bootkit
https://github.com/quarkslab/dreamboot
The Chinese bootkit
https://securelist.com/the-chinese-bootkit/29653/
Rovnix.D: the code injection story
https://www.welivesecurity.com/2012/07/27/rovnix-d-the-code-injection-story/
Rovnix bootkit framework updated
https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/
Rovnix Reloaded: new step of evolution
https://www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/
Cybercriminals switch from MBR to NTFS
https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs/29117/
Hasta La Vista, Bootkit: Exploiting the VBR
https://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Mayachok Hooks INT8 to Dodge Emulators
https://www.bitdefender.co.uk/blog/labs/mayachok-hooks-int8-to-dodge-emulators/
The evolution of Rovnix: Private TCP/IP stacks
https://blogs.iis.net/windowsserver/the-evolution-of-rovnix-private-tcp-ip-stacks
Cidox Trojan Spoofs HTTP Host Header to Avoid Detection
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cidox-trojan-spoofs-http-host-header-to-avoid-detection/
Rovnix new evolution
https://www.malwaretech.com/2014/05/rovnix-new-evolution.html
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic5a58.html?f=16&t=981
✨Carberp
Evolution of Win32Carberp: going deeper
https://www.welivesecurity.com/2011/11/21/evolution-of-win32carberp-going-deeper/
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
https://web-assets.esetstatic.com/wls/200x/Carberp-Evolution-and-BlackHole-public.pdf
Sources
https://github.com/hryuk/Carberp/tree/master/source%20-%20absource/pro/all%20source/bootkit
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicf82b.html?p=10206#p10206
✨XPAJ
XPAJ: Reversing a Windows x64 Bootkit
https://securelist.com/xpaj-reversing-a-windows-x64-bootkit/36563/
Xpaj - the bootkit edition
https://www.bitdefender.co.uk/blog/labs/xpaj-the-bootkit-edition/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic5ef8.html?f=21&t=2059
✨Yurn
Yurn trojan adds bootkit functionality
https://www.bitdefender.co.uk/blog/labs/yurn-trojan-adds-bootkit-functionality/
A thread on km
https://www.kernelmode.info/forum/viewtopic7df6.html?f=16&t=2083
✨Gapz
Trojan.Gapz.1 infecting Windows in a new manner
https://news.drweb.com/show/?i=2979&c=5&lng=en&p=0
Win32/Gapz: New Bootkit Technique
https://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/
Win32/Gapz: steps of evolution
https://www.welivesecurity.com/2012/12/27/win32gapz-steps-of-evolution/
Win32/Gapz family ring0 payload
https://inresearching.blogspot.com/2013/03/win32gapz-family-ring0-payload.html
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicbc00.html?f=16&t=2306
✨Guntior
Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers
https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e
Guntior Bootkit upgraded
https://zerosecurity.org/2013/06/guntior-bootkit-upgraded/
✨Whistler Bootkit
Whistler Bootkit Flies Under the Radar
https://www.bitdefender.co.uk/blog/labs/whistler-bootkit-flies-under-the-radar/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicfa77.html?f=16&t=2473
✨Halcbot
Bootkit that steals online game users’ account information
http://asec.ahnlab.com/328
Detailed analysis of Halcbot bootkit tampering with MBR
http://asec.ahnlab.com/5
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicfa67.html?f=16&t=2514
✨Caphaw
Caphaw attacking major European banks using webinject plugin
https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic3208.html?p=18527#p18527
✨Plite (PBBot, Gpb)
Plite Bootkit Spies on Gamers
https://www.bitdefender.co.uk/blog/labs/plite-rootkit-spies-on-gamers/
Trojan.GBPBoot.1 MBR infector
https://news.drweb.ru/show/?lng=ru&i=2927&c=9
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic0fe5.html?f=16&t=1666
✨Simda
WinNT/Simda
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=WinNT/Simda&threatId=
Win32/Simda family ring0 payload
https://inresearching.blogspot.com/2013/07/win32simda-family-ring0-payload.html
A thread on km + samples
https://www.kernelmode.info/forum/viewtopice0b7.html?p=19755#p19755
✨Gootkit
BackDoor.Gootkit.112
https://vms.drweb.com/virus/?i=3771317
A thread on km + samples
https://www.kernelmode.info/forum/viewtopicabb9.html?f=16&t=3242
✨Sednit
En Route with Sednit: A Mysterious Downloader
https://web-assets.esetstatic.com/wls/2016/10/eset-sednit-part3.pdf
✨Pitou (Backboot)
Bootkits are not dead. Pitou is back!
https://www.tgsoft.it/news/news_archivio.asp?id=884
A thread on km + samples
https://www.kernelmode.info/forum/viewtopic0dc7.html?f=16&t=3667
✨Hacking Team Vector EDK
https://github.com/hackedteam/vector-edk
✨LoJax
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
✨EfiGuard UEFI bootkit
https://github.com/Mattiwatti/EfiGuard
✨MosaicRegressor
MosaicRegressor: Lurking in the Shadows of UEFI
https://securelist.com/mosaicregressor/98849/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/07080558/MosaicRegressor_Technical-details.pdf
✨FinSpy (Finfisher)
FinSpy: unseen findings
https://securelist.com/finspy-unseen-findings/104322/
✨ESPecter
UEFI threats moving to the ESP: Introducing ESPecter bootkit
https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/
✨MoonBounce
MoonBounce: the dark side of UEFI firmware
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
A deeper UEFI dive into MoonBounce
https://www.binarly.io/blog/a-deeper-uefi-dive-into-moonbounce
✨BlackLotus
BlackLotus UEFI bootkit: Myth confirmed
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
BlackLotus bootkit
https://github.com/ldpreload/BlackLotus
The Untold Story of the BlackLotus UEFI Bootkit
https://www.binarly.io/blog/the-untold-story-of-the-blacklotus-uefi-bootkit
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
✨Glupteba
Diving Into Glupteba's UEFI Bootkit
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/
✨Other
Modern bootkit trends: bypassing kernel-mode signing policy
https://www.virusbulletin.com/conference/vb2011/abstracts/modern-bootkit-trends-bypassing-kernel-mode-signing-policy/
Bootkits: past, present & future
https://www.virusbulletin.com/conference/vb2014/abstracts/bootkits-past-present-amp-future/
Exposing Bootkits with BIOS Emulation
https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf
Attacks before system startup
https://securelist.com/attacks-before-system-startup/63725/
UEFI Firmware Rootkits: Myths and Reality
https://www.blackhat.com/docs/asia-17/materials/asia-17-Matrosov-The-UEFI-Firmware-Rootkits-Myths-And-Reality.pdf
Detecting UEFI Bootkits in the Wild
https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html
MosaicRegressor: Lurking in the Shadows of UEFI
https://securelist.com/mosaicregressor/98849/
Trickbot Now Offers «TrickBoot»: Persist, Brick, Profit
https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
DreamBoot UEFI bootkit
https://github.com/quarkslab/dreamboot
The Chinese bootkit
https://securelist.com/the-chinese-bootkit/29653/
Bootkit Threat Evolution in 2011
https://www.welivesecurity.com/2012/01/03/bootkit-threat-evolution-in-2011-2/
https://www.welivesecurity.com/2012/01/03/bootkit-threat-evolution-in-2011-2/