Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising UEFI-based systems and weaponizing CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems.

Key points of this blogpost:

• New ransomware samples, which we named HybridPetya, resembling the infamous Petya/NotPetya malware, were uploaded to VirusTotal in February 2025.
• HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions.
• Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.
• One of the analyzed HybridPetya variants exploits CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems, leveraging a specially crafted cloak.dat file.
• ESET telemetry shows no signs of HybridPetya being used in the wild yet; this malware does not exhibit the aggressive ...