Firmware malware is malicious code that infects a device’s firmware—the low-level software that controls hardware components like the BIOS, UEFI, routers, or hard drives. Unlike regular malware, it hides beneath the operating system, making it extremely hard to detect or remove. It can survive reboots, system reinstalls, and even some antivirus scans.
Attackers use firmware malware for long-term, stealthy access to devices, often in high-value targets like government systems or critical infrastructure. Well-known examples include LoJax and MoonBounce, which show how firmware attacks can be part of advanced, persistent threats.
Is firmware malware always a rootkit type of malware?
No, firmware malware is not always a rootkit—but it often behaves like one.
Here’s the breakdown:
- A rootkit is a type of malware designed to hide its presence and maintain privileged access.
- Firmware malware lives in the firmware layer, below the operating system, and often has the same stealthy goals—which is why many firmware attacks include rootkit functionality.
However, not all firmware malware needs to hide. Some are designed just to brick devices, inject persistent spyware, or enable surveillance, without necessarily disguising themselves.
So while firmware malware often includes rootkit-like behavior, especially in advanced threats, the two terms aren’t interchangeable.