FinSpy (also called FinFisher) is an infamous German surveillance tool, available since 2011, that allows operators to intercept communications, capture keystrokes, access files, and even activate cameras and microphones on compromised devices. It was initially marketed as a tool for law enforcement and intelligence agencies to combat crime and terrorism. FinSpy was first deployed as a trojanized software installer for applications such as TeamViewer, VLC Media Player and WinRAR on various operating systems including Windows, Linux and Android.
After many years of research, in 2021, Kaspersky Labs revealed for the first time that FinSpy had been modified or upgraded to use UEFI as a mechanism to load it on unsuspecting devices. It had evolved into a UEFI bootkit and all machines infected with the bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one on the EFI system partition (ESP) in much the same way as ESPecter.
