ZeroRingWraith: Preboot threat and invisible persistence during system startup
Santiago, May 2025
There are threats that don’t require a click, nor a download. Threats that awaken before the operating system. That breathe from the firmware. And that communicate without leaving a trace. In this article, we explore a conceptual threat known as ZeroRingWraith, whose sophistication surpasses even historic attacks like Stuxnet or BlackLotus.
The analysis was complemented with controlled simulations carried out in SecureLab’s internal labs, as part of the advanced hardening process to reinforce the Invisia system.
What is ZeroRingWraith?
- UEFI/Boot control: It executes before the OS, compromising the UEFI loader or recovery image.
- Stealth communication: No open ports or visible traffic, using DNS tunneling, ICMP covert channels, or physical controllers.
- Pre-OS execution: Installs a malicious kernel or abuses Thunderbolt/PCIe for DMA memory access.
- Invisible persistence: Resides in memory or firmware, with no disk artifacts.
Technical comparison:
| Exploit | Level | Key Features |
|---|---|---|
| Stuxnet | 9/10 | Requires USB, persists in firmware |
| BlackLotus | 8.5/10 | Secure Boot bypass |
| ZeroRingWraith | 11/10 | Pre-OS + phantom communication + full persistence |
Why it redefines modern defense
- EDR/XDR: Lack visibility in the pre-OS environment.
- Secure Boot / TPM: Can be bypassed or manipulated.
- SIEM/antivirus: Fail to detect covert communication or signatureless artifacts.
It requires an advanced detection architecture capable of:
- Operating from system boot
- Correlating anomalous behavior without relying on signatures
- Reacting autonomously and locally
- Functioning in isolated or high-criticality environments
Advanced defense strategy
- Observability from the first boot stage
- Real-time behavioral analysis
- Detection of out-of-context processes in early stages
- Integration with systems like FirmGuard for BIOS-level visibility
Final thoughts
ZeroRingWraith is more than a hypothetical exploit. It is an anticipation exercise that reflects the direction of advanced cyber threats: invisible layers, covert channels, and persistence without trace.
The future of cybersecurity lies in anticipating, observing without being seen, and responding without external dependencies.
Are you truly aware of what happens in your systems before the OS boots?
The next major breach might not show up in your SIEM—but it could already be happening.
All tests conducted by SecureLab were performed in isolated virtual environments, strictly for defensive research purposes, without affecting any third-party infrastructure.
Is your company ready to detect the invisible?
At SecureLab, we work actively on detecting and containing stealth-level threats.
If you’d like to collaborate, validate your security posture, or request a pilot, contact us at www.securelab.cl/contact-en.html.