"Shade BIOS" stealth malware hides below operating system

Attackers can create persistent malware that hides below a computer's operating system, making it effectively invisible to endpoint detection and response tools, new security research suggests.

Kazuki Matsuo of Japan's FFRI Security specialises in research covering computers' Basic Input/Output System (BIOS) and Unified Extensible Firmware Interface (UEFI), the code that starts up devices and loads the operating system (OS) that users and applications interact with.

While the firmware-stored computer startup code would normally be flushed after the OS starts up and resumes control, Matsuo's Shade BIOS malware prevents this.

Instead, Shade BIOS retains BIOS memory regions that would normally be overwritten, and keeps UEFI drivers and protocols active, maintaining device access that would normally be the under OS control.

The malware allows attackers to access devices, communicate with command-and-control (C2) servers, and exfiltrate data without ever touching OS application programming interfaces (APIs) that security products monitor for anomalies.

Whereas traditional BIOS backdoors are dependent on device-specific code to access different hardware, the difference between those and Matsuo's Shade BIOS is that the latter uses existing UEFI drivers and protocols, making it easier to write.

It means identical Shade BIOS code is compatible works across different hardware configurations, without modification being needed.

Shade BIOS addresses technical challenges such as run-time memory management and virtualised memory addresses, boot time only resources, device settings conflicts and exclusive control between UEFI/BIOS and the OS code.

In effect, Shade BIOS style malware becomes an "attacker-exclusive OS" that runs along the legitimate operating system, nearly undetectable.

While not directly detectable, Shade BIOS temporarily disrupts device operation during malicious activity. 

For example, network cards could lose connectivity briefly, and monitoring for similar, frequently occurring devices errors could be an indication of Shade BIOS activity for defenders.

Evidence from leaked intelligence documents such as Vault 7 from the United States Central Intelligence Agency (CIA), and the National Security Agency (NSA) which referenced tools such as DerStarke, DEITYBOUNCE, BANANABALLOT and the commercial vector-edk BIOS hacking kit sold to governments, suggest nation state actors are focusing on UEFI/BIOS exploits.

Matsuo presented the research at the recent Black Hat USA 2025 security conference, and has written and published a proof of concept (PoC) of Shade BIOS.