Cybersecurity experts at ESET have identified a new variant of malware known as HybridPetya, which is capable of bypassing the UEFI Secure Boot mechanism in Windows. This was reported by NotebookCheck.
Typically, UEFI Secure Boot checks the digital certificates of programs loaded from the storage during the computer's startup, preventing unauthorized or malicious code from executing.
HybridPetya checks if the infected device uses UEFI with GPT partitioning, and if confirmed, it bypasses Secure Boot. Subsequently, the malware modifies, deletes, or adds files in the boot partition, thereby blocking access to the rest of the data on the disk and encrypting it.
Upon activation, the program displays a message about the encryption of files and demands a payment of $1000 in Bitcoin. The text provides the address of the cryptocurrency wallet for the transfer, along with instructions on sending one's wallet address and the generated installation key to a ProtonMail email for obtaining the decryption key.
As of September 12, 2025, ESET has not recorded any actual attacks using HybridPetya. Experts suggest that this variant may be a prototype or still in the testing phase before broader distribution.
The vulnerability exploited by this malware was patched in the January update of Windows (Patch Tuesday, January 2025). Therefore, users who have installed the latest updates are protected from this threat.
Currently, it is unknown whether HybridPetya can affect other operating systems, including macOS or Linux.
