Security researchers have unveiled a novel technique called “Shade BIOS” that enables malware to operate entirely within a computer’s foundational firmware, rendering traditional security measures powerless. Kazuki Matsuo of FFRI Security will detail the method at Black Hat 2025, highlighting its unprecedented evasion capabilities by bypassing the operating system (OS) entirely.
Shade BIOS fundamentally differs from conventional UEFI (Unified Extensible Firmware Interface) threats like rootkits or bootkits. While UEFI malware exploits firmware persistence to run before the OS loads, it ultimately relies on the OS to interact with hardware and execute malicious tasks—exposing it to antivirus, endpoint detection (EDR/XDR), and OS security tools. Shade BIOS eliminates this dependency, allowing attackers to run malicious code exclusively within the BIOS environment even after the OS boots.
Historically, UEFI malware’s OS reliance creates vulnerabilities. Attackers must anticipate and disable specific security programs during startup—a complex task requiring knowledge of kernel drivers and mechanisms. Matsuo notes that no existing UEFI malware bypasses critical Windows defenses like Event Tracing for Windows (ETW). Furthermore, disabling all security tools would likely alert users. Shade BIOS circumvents these issues by operating independently, making malicious activities invisible to OS-level protections.
Technical execution
The breakthrough involves deceiving the OS loader during startup. When control shifts from BIOS to OS, UEFI typically destroys firmware resources. Shade BIOS subverts this by altering the UEFI memory map—the component detailing memory allocation. “I’m deceiving the OS loader by changing the memory map,” Matsuo explains. The manipulated map convinces the loader that BIOS regions must remain active during OS runtime, retaining BIOS functionalities in memory.
This creates a parallel, hidden environment akin to a “miniature OS” where malware operates using BIOS-specific protocols (e.g., disk I/O) instead of standard OS APIs. Malware can be written in C, leveraging BIOS drivers for tasks like file creation. Matsuo contends this approach is potentially simpler than developing traditional UEFI bootkits: “It doesn’t require binary manipulation, hooks, or pattern matching.”
Shade BIOS poses a universal threat due to UEFI standardization. Malware developed for it would function identically across PCs, servers, and motherboards—requiring no hardware-specific adaptation. Detection is exceptionally difficult, as security software cannot scan the BIOS runtime environment. The only defense is proactive, unscheduled memory dumping and analysis to identify suspicious code—even without prior suspicion of compromise.
Matsuo will demonstrate memory analysis using the open-source tool “Kraftdinner” at Black Hat 2025 to streamline detection. However, he emphasizes that Shade BIOS attacks remain niche, primarily relevant to high-security contexts: “UEFI threats are not really popular outside of national security.” The technique is most pertinent for government agencies during PC procurement inspections to uncover firmware backdoors.
This research underscores a critical evolution in offensive capabilities—malware persistence completely divorced from the OS—demanding new defensive paradigms for high-value targets.
