> some of the BlackLotus installers we have analyzed do not proceed with bootkit... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		rdtsc on March 1, 2023 \| parent \| context \| favorite \| on: First in-the-wild UEFI bootkit bypassing UEFI Secu... > some of the BlackLotus installers we have analyzed do not proceed with bootkit installation if the compromised host uses one of the following locales: Romanian (Moldova), ro-MD, Russian (Moldova), ru-MD, Russian (Russia), ru-RU, Ukrainian (Ukraine) , uk-UA, Belarusian (Belarus), be-BY, Armenian (Armenia), hy-AM, Kazakh (Kazakhstan), kk-KZ I can guess why they might do that, but also wonder if it's an actual international group (nice to see countries working together so well! /sarcasm), or they threw in a few extra plausible ones to mask their origin. For example, if they just picked Moldova, that's relatively small country and would narrow down their location to one city exactly.

cozzyd on March 2, 2023 | [–]

I bet it's because Transnistria doesn't have its own locale.

wmf on March 2, 2023 | [–]

Do those countries have reciprocal law enforcement agreements with each other by any chance?

costco on March 2, 2023 | [–]

They usually refuse to target all ex-USSR or CIS countries.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact