Shade BIOS: Unleashing the Full Stealth of UEFI Malware
Black Hat USA 2025 · Day 1 · Briefings
Kazuki Matsuo of FFR Security introduced ShadeBIOS, a research framework that retains UEFI BIOS in memory after the operating system boots and repurposes UEFI's own memory management, device drivers, and protocol stack to execute malicious behaviors entirely outside the OS security stack — bypassing antivirus, Windows Defender Firewall, and kernel-level detection by never touching OS APIs or driver interfaces. ---
AI review
Matsuo solved the two fundamental constraints that have limited every UEFI implant in history — OS dependency and hardware specificity — simultaneously, using UEFI's own infrastructure. ShadeBIOS retains the BIOS environment through OS boot, fires C2 communications via UEFI's HTTP stack entirely below the OS security layer, and survives Windows Defender Firewall like it doesn't exist. This is a genuine primitive shift.