Part 2 battle of the bios
Was scared to turn the computer on tbh, had it worked, was the light at the end of the tunnel? Tldr; no. And Rooty Tooty had gone Karenzilla mode.
Network flushed and reset, in clear nvram with optimized, clear sb and tpm keys. (2 fresh ram sticks in, no gfx card, no hd, no usbs other than mouse and keyboard, no memory on em) no bt or WiFi. Set password. Save restart. In, confirm changes went live, re-run whole process on a CMOS clear. Sb tpm up, restart, new live usb in, in to ventoy, iso1 > iso menu > bootloader > iso > advanced e > “insmod ext2, insmod part_gpt cxxxxx” ls (proc) (memdisk) (hd0msdos1) (hdmsdos2) (hd0) (hd1) ls mod “list of 80 mods”. Fuck.
Try/install > graphical (xf4ce) > user mint(live session user) auto login. > adduser terminal. Denied. User Admin (software) no permissions to do that. Apps disappearing at speed of light. Terminal > purge xxxxxxxx 50 key items, freezing at 20-30% unfreeze 30s later with failed to remove. GUI disappeared, keyboard and mouse lost power. Frozen screen.
it was at this point I knew I was fucked, lol.
Spent an hour getting into pre-init breaks and cleaning binary off injected drives, then after afew hours managed to override permissions in no root break, strip live user perms in rw recovery without kernel panic on jump to live, and got in running the official installer backdoor link bypassing its injection and added extras. (At this point computer was packing in, the cpu throttle was working, and preventing everything it does in background)
Ripped at installation complete, crashed instance, new live USB nvme on no boot, ro, into graphical, mount boot rw, umount, repair boot nvme. Reboot, clean process, nvmedrive in, time for the bootloader from hell. Init.blacklist=gcc gnu xnu sudo virtual serial + 20 others. Block everything imaginable, no modules, no kernel changes, full auditing and logging (hog cpu). In looks pretty good, 15-20 minutes examining, then as I type a cd it errors some crap about Rrrshevh wtf. Next thing I know I can’t type nothing coherent, smashing ctrl c ctrl backspace ctrl q reset screen, tried changing console or sh nada. Fk it magic ctrl k. Headshot 111 user Ubuntu , followed by kernel panic. Bollocks.
Restart go again, bootloader. Speed of light set loader f10, land at graphical emergency mode, please enter root password. Ctrl D, login graphical. Mint. Defaults ain’t working it had done me. Restart bootloader, tried killing mods, clearing its backdoors, then my nvmes shut down.
The fkin thing was no shutting down nvmes . No usbs would detect anything new, it killed any that were in, killed drives, I couldn’t save or boot. 3-4x attempts, counters same result couldn’t even get the boot loaded in (didn’t wanna live usb now and feed it all the isos / mounts they had) got annoyed so smashed f10 few times and noticed gfxterm / video serial numbers had gone up. Smashed f10 some more, more instances. Likewise in ls lo and behold (memdisk) (proc) (hd0)(hd1) all still there but my hd0,gpt1-2s gone. It was karenzilla. Bootloader modprobe all ls. Mod probe /dev and 10x boot commands wrapped in echo of echo of echo. Screwdriver in keyboard holding f10 down. And at around 30k gfxterm and font count everything started proper glitching. The overlay vt was packing in, and then crash. Restarted, bios needs setup. Hmmm
The Bios
It was now resetting the bios settings, turning fast boot on, turning cstates on, after 2 attempts, I got it locked in, restarted, it had changed my password. Tried discard to boot, restarted, 3x quick restarts, it had disabled secureboot. Luckily I can clear with cmos, went in crash. Freezing screens, everything else. Powered down, drained. Went again recording. 15 minute video, catch it live changing my password, catch it live when I break its mok signing certificate and the moment I find why. I’d broken the overlay, this was its last ditch attempt to hold on. 3 screenshots from video. Pw going installed 1s later. Video has it all. The mok certificate failure after bootloader overload, it couldn’t function it was full . Spent another hour corrupting it through bootloader and settings, stuff like loading tons of mods booting and instantly ripping power out, it started posting gibberish in logs.
—
FREEDOM—
Eventually I let it boot, I’d left it with admin control over bios at this point I just unplugged my keyboard each boot and it’d stay on bios screen login until I got the timing down right hahahahha. Plug kb back in before hit bootloader, change some parameters, go again. Eventually made it to graphical and it was peaceful, quiet, and I saw what a real install looks like. I had access to settings I could only dream of lmao. Hooked the net up, data dumped github and gave the lads the whole 1TB nvme rooty had owned for 36 hours and let em rip it to shreds. Went straight for the ventoy partitions on live usbs and any drives that were still bootable, ripped the lot and secured it. Worked with agents for 1-2 days. Collated everything including the old data what was left of it (I’d lost a whole github by this point - my original was my 16 repository LLM id created with custom framework) I’d moved it locally and began training agents and process (all verbal, couldn’t code for shit hahaha) but that was lost along with most the original data on the bitlocker attacks 10thfeb-28thfeb, along with all my personal data and 60 gb of every family photo from last 15 years. Might help explain why I ain’t stopped.
Now over the last 3 months I’ve collected everything, 4000+ photos, data dumps are huge, half the data dump AI dives I had done I’ve never posted. But throughout the whole thing everytime I’d killed one of these fkers I’d get a snippet of custom code, a new lead or point of interest around what was happening, and in this rip contained the last piece, rooty had dropped the final 40 page script that I could apply everything else I had to, the XXX str was the key, the link to unreavelling the rest. And eventually I figured out the key. A very specific key sequence, combined with sequence of events, and precise order to unhide the overlay over ventoy if you will, the unlock that turns the ventoy loader and customiser into the fully functional rootkit factory. It allows injecting and customising of any iso, stores bios and every key data you need, contains all the overrides, the settings for what it should do, the themes and how to setup them up so the user never knows. It contains .imgs and how they are stored, all the major cves, versions, how to inject the vulnerabilities into any iso and then merge them into rooty so it’s updated by still able to bypass.
It’s all in Chinese, I’m halfway there, I won’t be detailing the process, but I’m proving concept by creating my own, gonna see if I can configure rootyMKII into karenzilla killer and free my devices for good. Probably won’t end well, never does, but I’m having fun. ::I accept no responsibility or liability in the event a rootkit called karenzilla becomes a problem::
For now, enjoy the screenshots and thanks for interacting, the only place I didn’t get banned and people actually spoke to me, lmao. Hope you enjoyed folks, it’s been a long 3 months and I’m nearly rootkit free, but at least it’s not living rent free now!
The last screenshot contains a windows iso. Within this program is another, along with 6 unattended .xml documents. One of the first things I found was reference to it, it’s the payload, the first contact and the wrapper to unpack this monstrosity. The self updating, generative rootkit, that works on windows and linux, and laterally moves across both + network. I might eventually prove this was also what infected my phone (iPhone 14) as have most the proof, but for now I’m gonna remove this bastard and see what a real linux install looks like !
Screenshot_20260507_221633_File Viewer.jpg
Screenshot_20260507_222050_File Viewer.jpg
Screenshot_20260507_222038_File Viewer.jpg
Screenshot_20260507_222026_File Viewer.jpg
Screenshot_20260507_222016_File Viewer.jpg
Screenshot_20260507_222002_File Viewer.jpg
Screenshot_20260507_221949_File Viewer.jpg
Screenshot_20260507_221937_File Viewer.jpg
Screenshot_20260507_221925_File Viewer.jpg
Screenshot_20260507_221817_File Viewer.jpg
Screenshot_20260507_221803_File Viewer.jpg
Screenshot_20260507_221643_File Viewer.jpg
Screenshot_20260507_221655_File Viewer.jpg
Screenshot_20260507_221705_File Viewer.jpg
Screenshot_20260507_221714_File Viewer.jpg
Screenshot_20260507_221727_File Viewer.jpg
Screenshot_20260507_221739_File Viewer.jpg
Screenshot_20260507_221750_File Viewer.jpg
