Some time ago while tracking Winnti group activity we came across a suspicious 64-bit sample. It was a standalone utility with the name HD Rootkit for planting a bootkit on a computer. Once installed the bootkit infects the operating system with a backdoor at the early booting stage. During our investigation we found several backdoors that the HDRoot bootkit used for infecting operating systems. These backdoors are described in this part of the article. Since the backdoor installed with the use of HDRoot might be arbitrary, we cant describe what malware is run by HDRoot.”]