PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Suspected Chinese Hackers Unleash Malware That Can Survive OS Reinstalls

It works to create a Trojan file called 'IntelUpdate.exe' in the Startup Folder, which will reinstall itself even if the user finds it and deletes it, according to Kaspersky Lab.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

(Credit: Shutterstock)


Chinese hackers may be using malware that can survive Windows OS reinstalls to spy on computers. 

Security firm Kaspersky Lab uncovered the malware, which exploits a computer’s UEFI (Unified Extensible Firmware Interface) to continually persist on a Windows machine.  

Attacking the UEFI is pretty alarming because the software is used to boot up your computer and load the operating system. It also operates separately from your computer’s main hard drive, and usually resides in the motherboard’s SPI flash memory as firmware. As a result, any malicious process embedded in the UEFI can survive an operating system reinstall while evading traditional antivirus solutions. 

“This attack demonstrates that, albeit rarely, in exceptional cases, actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine,” said Kaspersky Lab researcher Mark Lechtik in a statement. 

The company discovered the UEFI-based malware on machines belonging to two victims. It works to create a Trojan file called "IntelUpdate.exe" in the Startup Folder, which will reinstall itself even if the user finds it and deletes it.

"Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware," Kaspersky Lab said.

The malware's goal is to deliver other hacking tools on the victim’s computer, including a document stealer, which will fetch files from the “Recent Documents” directory before uploading them to the hacker’s command and control server. 

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Kaspersky Lab refrained from naming the victims, but said the culprits have been going after computers belonging to “diplomatic entities and NGOs in Africa, Asia, and Europe.” All the victims have some connection to North Korea, be it through non-profit activities or an actual presence in the country. 

While looking over the malware’s computer code, Kaspersky Lab also noticed the processes can reach out to a command and control server previously tied to a suspected Chinese state-sponsored hacking group known as Winnti. In addition, the security firm found evidence the creators behind the malware used the Chinese language while programming the code. 

Still, Kaspersky Lab is refraining from calling out a specific group for the attacks. “Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks,” Kaspersky Lab added. 

It remains unclear how the UEFI-based malware was delivered, and which PC models are vulnerable to the attack. Kaspersky Labs notes that manipulating the UEFI is difficult because it requires knowledge of the machine’s firmware and ways to exploit the SPI flash chip onboard. 

However, the security firm noticed the UEFI-based malware was created with the help of leaked documents from an Italian surveillance company called Hacking Team. In 2015, the company had its files stolen and dumped online, which showed Hacking Team was also working on a UEFI-based attack capable of infecting Asus X550C and Dell Latitude E6320 models through a USB thumb drive. 

“Of course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism,” Kaspersky Lab added. “Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don’t have any evidence to support it.”

To remove the malware, Kaspersky Lab said a victim would need to update a motherboard's firmware to a legitimate version.

This is the second time security researchers have uncovered malware designed to exploit the UEFI. In 2018, antivirus vendor ESET reported a separate instance of UEFI-based malware, dubbed Lojax, which may have come from Russian state-sponsored hackers. 

In Kaspersky Lab’s case, the company discovered the UEFI-based malware thanks to the company’s firmware scanner, which it began implementing last year. The mysterious culprit behind the malware has also been found preying on victims using phishing emails. However, none of the phishing emails were found delivering the UEFI-based attack. 

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio