Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Banner Ransomfeed 320x100 1
Crowdstriker 970×120
BitLocker in the crosshairs: stealth attacks via COM hijacking. Online PoC

BitLocker in the crosshairs: stealth attacks via COM hijacking. Online PoC

15 September 2025 08:31

An innovative tool known as BitlockMove has been introduced, which highlights a novel lateral movement technique. This PoC leverages DCOM interfaces and COM hijacking, both of which are functional for BitLocker.

Released by security researcher Fabian Mosch of r-tec Cyber Security, the tool allows attackers to execute code on remote systems within the session of an already logged-in user, avoiding the need to steal credentials or impersonate accounts.

This technique is particularly subtle because the malicious code executes directly in the context of the target user, generating fewer indicators of compromise than traditional methods such as credential theft from LSASS.

The PoC specifically targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94), which can launch several processes. One of these, BaaUpdate.exe, is vulnerable to COM hijacking if launched with specific parameters. The tool, written in C#, operates in two distinct modes: enumeration and attack.

  • Enum Mode: An attacker can use this mode to identify active user sessions on a target host. This allows the threat actor to select a highly privileged user, such as a domain administrator, for the attack.
  • Attack Mode: In this mode, the tool executes the attack. The attacker specifies the target host, the username of the active session, a path to delete the malicious DLL, and the command to execute. The tool then executes the remote COM hijacker, activates the payload, and cleans up by removing the hijacker from the registry and deleting the DLL.

By monitoring specific behavior patterns, defenders are able to detect this technique. Key indicators include remote COM CLSID hijacking associated with BitLocker, which aims to load a newly created DLL from the compromised location via BaaUpdate.exe.

Suspicious child processes spawned by BaaUpdate.exe or BdeUISrv.exe are obvious indicators of a possible attack. Its use for legitimate purposes is rare, so security experts can conduct specific searches for the BdeUISrv.exe process to detect its potential malicious nature.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.