BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[1][2][3]

ID: S0114
Platforms: Windows
Contributors: Christopher Glyer, Mandiant, @cglyer
Version: 1.1
Created: 31 May 2017
Last Modified: 09 June 2021

Techniques Used

Domain ID Name Use
Enterprise T1564 .005 Hide Artifacts: Hidden File System

BOOTRASH has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.[2]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.[1][2][3]