Chinese Malware ‘MoonBounce’ Able To Survive On Devices Despite Factory Reset

Kaspersky researchers uncover a dangerous new malware embedded in motherboard memory, with suspected links to China-backed group APT41.

A New Breed of Malware Emerges

The digital landscape just got more dangerous. A newly discovered malware strain called MoonBounce is alarming cybersecurity experts due to its ability to survive even after a drive reformat or factory reset.

• Unlike traditional malware, MoonBounce doesn’t reside on the hard disk.
• Instead, it hides deep within a computer’s SPI flash memory—a section of the motherboard normally untouched during resets.

This makes MoonBounce particularly difficult to detect and nearly impossible for non-experts to remove.

Who Discovered MoonBounce?

MoonBounce was first identified by Kaspersky, a global leader in cybersecurity solutions. The malware came to light during the company’s routine firmware scans.

• According to Kaspersky, MoonBounce is the first UEFI firmware-level rootkit of its kind to operate without needing a presence on the hard drive.
• This makes it a stage-one malware, which can later install secondary payloads used for:
  • Stealing sensitive data
  • Executing remote code
  • Tracking user activity

Why Is It So Hard to Remove?

The main reason MoonBounce is so difficult to eliminate is because it resides in the motherboard firmware, specifically the System Management Mode (SMM) portion of the Unified Extensible Firmware Interface (UEFI).

• Regular antivirus software doesn’t scan this memory space.
• Reformatting the hard drive or resetting the OS won’t help, as the malware doesn’t touch the drive at all.

Removal options include:

• Re-flashing the SPI memory, a highly technical and risky process.
• Replacing the motherboard, which can cost ₹4,000 to ₹50,000 depending on the system.

Tracing the Source: APT41 Suspected

MoonBounce is not just technically advanced — it’s also politically charged. Cybersecurity analysts have linked the malware to APT41, a notorious state-sponsored hacker group backed by China.

• Kaspersky found evidence of MoonBounce communicating with servers linked to APT41.
• The group is known for cyber espionage, intellectual property theft, and surveillance operations.

So far, MoonBounce has only been discovered on a single machine—a transportation services company computer—but the implications are significant.

Experts believe this is just the beginning of a wider deployment strategy.

Why This Malware Matters

MoonBounce marks a new frontier in malware design, raising serious questions about:

• Firmware-level security
• Hardware trustworthiness
• National cybersecurity strategies

It’s a stark reminder that the next wave of malware won’t just target files and apps — it will embed itself in the very hardware we rely on.

Kaspersky has discovered MoonBounce, a dangerous new malware that hides in motherboard firmware, making it immune to drive reformats and factory resets. Traced to China-backed group APT41, it marks a new era of deeply embedded cyber threats that require advanced removal tactics or hardware replacement.