Unveiling HybridPetya: A New Threat in the Malware Landscape
Introduction to HybridPetya
ESET Research has recently unveiled a new type of malware termed HybridPetya, which has surfaced on the well-known malware scanning platform, VirusTotal. This bootkit and ransomware is modeled after the notorious Petya and NotPetya malware, but it brings additional capabilities, primarily targeting UEFI-based systems. Notably, it utilizes CVE-2024-7344 to bypass UEFI Secure Boot protections on older systems, a significant development in the realm of cybersecurity threats.
A Glimpse at the Historical Context
The emergence of HybridPetya bears a resemblance to previous cyberattacks, particularly the NotPetya attack that occurred in 2017. This incident is infamous for being one of the most destructive cyber operations in history, inflicting damages that exceeded $10 billion. “In late July 2025, we encountered ransomware samples under various names, including notpetyanew.exe. This similarity to past malware suggests a connection to the earlier, more destructive threats,” explains Martin Smolár, a researcher at ESET who played a pivotal role in the discovery.
Technical Insights into HybridPetya
Unlike its predecessor, NotPetya, which encrypted data rendering it nearly impossible to recover, HybridPetya utilizes a different algorithm for generating installation keys. This new method allows the malware operator to possibly reconstruct the decryption key from these personal keys, making it operate more like traditional ransomware.
HybridPetya also distinguishes itself by targeting modern UEFI-based systems. It achieves this by installing a malicious EFI application onto the EFI System Partition. This application specializes in encrypting the NTFS Master File Table (MFT), a crucial metadata file that holds details regarding all files stored on an NTFS-formatted partition. The ability to compromise UEFI systems is a notable evolution in malware strategies.
Investigating Further: The Role of CVE-2024-7344
During further analysis, the ESET team discovered something intriguing on VirusTotal. They encountered an archive containing an EFI System Partition that housed a similar HybridPetya UEFI application, cleverly wrapped in a specially formatted cloak.dat file. This file exploits the CVE-2024-7344 vulnerability, a UEFI Secure Boot bypass flaw that ESET disclosed earlier in 2025. “Our earlier publications were intentionally vague on the specifics of the exploitation,” Smolár adds. It appears that the malware author may have replicated the necessary cloak.dat file format by reverse engineering the vulnerable application independently.
Current State of HybridPetya in the Wild
Despite the alarming capabilities of HybridPetya, ESET telemetry indicates that the malware has yet to be actively deployed in the wild. This raises several questions: Is HybridPetya merely a proof of concept developed either by a security researcher or an unknown threat actor? There’s no indication of the aggressive network propagation techniques that characterized the original NotPetya, suggesting that the current incidence of HybridPetya may be limited.
Conclusion: Monitoring and Preparedness
As HybridPetya represents a sophisticated evolution of previous malware, its implications for cybersecurity cannot be understated. While it may not currently be causing widespread disruption, its potential capabilities underline the necessity for vigilant monitoring and robust defenses against emerging threats. Understanding the nuances of malware like HybridPetya is essential for maintaining cybersecurity preparedness in an ever-evolving digital landscape.
