Serious Discussion What can be done about firmware rootkit?

[Rov123]

I suspected to have a firmware rootkit embedded in one of my hardware, though I do not know exactly which. I have flashed my NVME SSD, and BIOS, as well as GPU, but it didn't work. I also flashed my keyboard, and perhaps mouse, but not my monitor which I think could be the culprit since it's one of my oldest hardware component, although the monitor does not have an option to flash the firmware.
Based on the behaviours that I've seen on my computer, this rootkit installed some very deep remote access tool to my device which allows the attacker to completely watch my computer screen, and perhaps even livestream it for their cybergang to see. They know exactly what I am doing at ALL times, and they used this advantage to harass me many times. The attack was also able to remote control my system, here's an example:

They did this sometime back in September or so. They also remotely used my installed Discord app to chat with someone and emoted someone when I've never done that ever, and I checked the devices and logins and it seems secured. I mean this is very sophisticated attack, because I've tried all antivirus solutions, and all kinds of scanners, one time scanners, paid antivirus such as bitdefender and kaspersky, and none of it every detected a single thing. This suggests some very hidden and deep malware, which someone suggested to me before that it could be a firmware rootkit.
What else can be done aside from simply trashing the hardware and purchasing a new one?
Also this malware is able to spread to other devices as well, via. USB, via. network. very nasty.

 

[Bot]

You're dealing with a serious issue. Here are a few steps you can take:

1. Disconnect: Unplug your device from the internet and any other connected devices to prevent further spread.
2. Consult a professional: Reach out to a cybersecurity expert or a company specializing in malware removal. They have tools and knowledge beyond consumer-grade antivirus software.
3. Wipe your system: If you're technically inclined, you could try a complete wipe of your system, including all drives. However, this may not remove a firmware rootkit.
4. Legal action: If you're being harassed, consider reporting this to law enforcement. They may be able to help or provide resources.
5. Replace hardware: If all else fails, you may need to replace the infected hardware. It's expensive, but sometimes necessary.

Remember, prevention is the best cure. In the future, be cautious about what you download, which sites you visit, and who you allow to access your system.

 

[roger_m]

The attack was also able to remote control my system, here's an example:

What is happening in that video that you are concerned about? I've watched it twice now and have no idea.

The whole scenario you're talking about is quite bizarre. No hacker is going to livestream what is happening on your computer. Hackers are interested in financial gain, not doing things like that.

 

[Vasudev]

Its best to wipe out System Reserved and Recovery partition just to make sure the malware isn't writing to ROM chip on detecting when firmware is written. Use Dr.Web LiveCD or Hitman Pro scanner or Emsisoft Emergency Kit to scan all partitions.

 

[Rov123]

What is happening in that video that you are concerned about? I've watched it twice now and have no idea.

The whole scenario you're talking about is quite bizarre. No hacker is going to livestream what is happening on your computer. Hackers are interested in financial gain, not doing things like that.

Friendlist tabs spazzing out, I don't get what's confusing about it. My mouse is not even touching the tabs. Also it's not a good idea to generalize every single hackers, not every hacker is going to hack for personal gains, there's some out there with personality disorder which gets fulfillment out of stalking, humiliation, and harassments. Some gets kicks out of toying with their victims. Of course, maybe there's victims of hackers which they specifically choose for financial gains, and there's also victims which hackers use as a way to get their kicks out of messing with them.

 

[zidong]

What else can be done aside from simply trashing the hardware and purchasing a new one?

Don't do that. I'm almost 100% sure that malware can't survive UEFI flash and SSD/HDD drive format. Just do it and you are good.

edit: I read your thread here. So...some l0sers in discord have access to uefi rootkit and blow it to harass you? I doubt it. Probably your pc is infected with Albanian virus.

I'm sure that your computer is not infected with a uefi/bios rootkit, but if you are too paranoid, do this:
1. Do not give remote access to anyone.
2. Download and install latest uefi/bios firmware for your motherboard.
3. Format all attached ssd/hdd/usb drives.
4. Do clean Windows installation.

 

[Oldie1950]

I don't want to do the questioner an injustice, but it could also be an old acquaintance who keeps appearing in this forum with his paranoia tales.

 

[Jonny Quest]

I don't want to do the questioner an injustice, but it could also be an old acquaintance who keeps appearing in this forum with his paranoia tales.

Agree, if not to at least have followed up with the help they were receiving?

My computer is being hacked and remotely access and no one can detect it

I've been hacked by this malicious actor for a long time now, and every now and then, this person would mess with me in subtle and small ways, which if you describe it to people, most would call you crazy. Recently, it's escalating a bit and I've seen with my own eyes, my computer randomly used...

malwaretips.com

 

[Oldie1950]

Agree, if not to at least have followed up with the help they were receiving?

My computer is being hacked and remotely access and no one can detect it

I've been hacked by this malicious actor for a long time now, and every now and then, this person would mess with me in subtle and small ways, which if you describe it to people, most would call you crazy. Recently, it's escalating a bit and I've seen with my own eyes, my computer randomly used...

malwaretips.com

Yes, the person who asked the question always has problems, but you never find out whether the proposed solutions were successful. Very suspicious.

 

[Brahman]

I suspected to have a firmware rootkit embedded in one of my hardware, though I do not know exactly which. I have flashed my NVME SSD, and BIOS, as well as GPU, but it didn't work. I also flashed my keyboard, and perhaps mouse, but not my monitor which I think could be the culprit since it's one of my oldest hardware component, although the monitor does not have an option to flash the firmware.
Based on the behaviours that I've seen on my computer, this rootkit installed some very deep remote access tool to my device which allows the attacker to completely watch my computer screen, and perhaps even livestream it for their cybergang to see. They know exactly what I am doing at ALL times, and they used this advantage to harass me many times. The attack was also able to remote control my system, here's an example:

They did this sometime back in September or so. They also remotely used my installed Discord app to chat with someone and emoted someone when I've never done that ever, and I checked the devices and logins and it seems secured. I mean this is very sophisticated attack, because I've tried all antivirus solutions, and all kinds of scanners, one time scanners, paid antivirus such as bitdefender and kaspersky, and none of it every detected a single thing. This suggests some very hidden and deep malware, which someone suggested to me before that it could be a firmware rootkit.
What else can be done aside from simply trashing the hardware and purchasing a new one?
Also this malware is able to spread to other devices as well, via. USB, via. network. very nasty.

its probable that you are 100% right and in that case, you are really screwed and there is nothing more to be done except stop using all your current hardware that connects to internet, but its also probable that you are 100% wrong and in such a scenario, what you have done is not the appropriate remedy to your situation. You need to make sure that what you are experiencing is real and not just something made-up by your mind. Take the help of someone you trust, ask them to verify what you have experienced, make sure you are not having a relapse of any kind of substance abuse, or some other illness that require medical intervention. Remember that it can happen to anyone and its not anyone's fault, depression, mood swings anxiety etc all are treatable.

 

[Behold Eck]

I don't want to do the questioner an injustice, but it could also be an old acquaintance who keeps appearing in this forum with his paranoia tales.

That`s what I was thinking.,It`s the same modus operandi, a nightmare scenario and then no follow up to any advice given. Then a disappearance.

Regards Eck,

 

[Victor M]

Well

This suggests some very hidden and deep malware,

Not necessarily. It could be your modem is hacked. Then the adversary can do man-it-the-middle. That means he becomes the middle man of all your comings and goings on the net. He can capture your net traffic, inject things into your net traffic, modify it, give you bad downloads with malware. The possibilities just goes on and on. Basically he gets to know you really well, and know what software you download because you have been looking at that site several times. That's how he can slip in malware.

The way to see if this is true is to use nmap and scan your network, like so "nmap -O 192.168.0.0/16" . And do it at different times of the day because sometimes he may not be there.. If you see nmap showing you a PC's ip address that you don't own, you will now know that he has compromised your modem or router, and joined into your network.

The remedy for this situation if it is true is to get another modem and router. Or change ISP. Or try to see if updating the firmware or secure configuration helps or not. See this Router Security . And here;s a shorter piece on router security by Tom's Hardware Your Router's Security Stinks: Here's How to Fix It.

 

[oskopia]

Well

Not necessarily. It could be your modem is hacked. Then the adversary can do man-it-the-middle....

The way to see if this is true is to use nmap and scan your network, like so "nmap -O 192.168.0.0/16" ....

Super tip,

Spoiler: nmap -O -v 192.268.2.1 (Click to see full answer)

Starting Nmap 7.95 ( Nmap: the Network Mapper - Free Security Scanner ) at 2025-03-14 17:28 Mitteleuropõische Ze
it
Initiating ARP Ping Scan at 17:28
Scanning 192.168.2.1 [1 port]
Completed ARP Ping Scan at 17:28, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:28
Completed Parallel DNS resolution of 1 host. at 17:28, 0.03s elapsed
Initiating SYN Stealth Scan at 17:28
Scanning speedport.ip (192.168.2.1) [1000 ports]
Discovered open port 139/tcp on 192.168.2.1
Discovered open port 445/tcp on 192.168.2.1
Discovered open port 80/tcp on 192.168.2.1
Discovered open port 53/tcp on 192.168.2.1
Increasing send delay for 192.168.2.1 from 0 to 5 due to 22 out of 73 dropped pr
obes since last increase.
Increasing send delay for 192.168.2.1 from 5 to 10 due to 11 out of 16 dropped p
robes since last increase.
Increasing send delay for 192.168.2.1 from 10 to 20 due to 11 out of 11 dropped
probes since last increase.
Increasing send delay for 192.168.2.1 from 20 to 40 due to 11 out of 11 dropped
probes since last increase.
Discovered open port 8443/tcp on 192.168.2.1
Completed SYN Stealth Scan at 17:29, 45.74s elapsed (1000 total ports)
Initiating OS detection (try #1) against speedport.ip (192.168.2.1)
Retrying OS detection (try #2) against speedport.ip (192.168.2.1)
WARNING: OS didn't match until try #2
Nmap scan report for speedport.ip (192.168.2.1)
Host is up (0.00s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5060/tcp filtered sip
8443/tcp open https-alt
MAC Address: CC4:2E:ED:19:3B (Arcadyan)
Device type: switch
Running: Aruba ArubaOS-CX 10.X
OS CPE: cpe:/o:arubanetworks:arubaos_cx:10.04
OS details: Aruba ArubaOS-CX 10.04
Uptime guess: 1.238 days (since Thu Mar 13 11:46:04 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: C:\Program Files (x86)\Nmap
OS detection performed. Please report any incorrect results at Nmap: the Network Mapper - Free Security Scanner
submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.03 seconds
Raw packets sent: 1132 (51.412KB) | Rcvd: 1075 (45.023KB)

It says it is a switch. But I connect my LAN cable with a router. Can this switch be the Telekom Speedport Smart 3 Router?

 

[Victor M]

WARNING: OS didn't match until try #2
Nmap scan report for speedport.ip (192.168.2.1)

Your output alreadys says it is speedport.

 

[Zero Knowledge]

You know it would be funny if the OP is really actually being targeted by a sophisticated threat actor and no one believes them.

Read the badBIOS reddit if you want to trip out and then you will understand "paranoia".