They're popular amongst targeted (state-level?) attack campaigns that have an amount of known victims in the tens or low hundreds. They're pretty advanced, but there isn't much of a benefit to a bootkit beyond absolute persistence compared to a zero-click remote 0day. Malicious UEFI firmware that infects the OS on reboots have been observed in the wild before, and the NSA also had firmware attacks for weaponizing hard drives during the Snowden era too.

CosmicStrand, MoonBounce, MosaicRegressor, BlackLotus come to mind as best examples to demonstrate.

Both of them are undetectable by the operating system since what is executed runs with the highest privilege. Windows Defender can do nothing against unknown malware and Linux is Linux. Forensic analysis of the device can reveal the attacks although this is not an automated process and you'd need experience in DFIR to analyse a device to see if you was infected by this.

Bootkit firmware have to drop malware within the installed OS for command and control and to monitor their victim's activities. Forensic analysis of the disk for potential IoCs, network traffic analysis to find connections to a potential C2 server and memory dumping (for fileless malware) are some ways to find out. You'd also need reverse engineering experience to confirm suspicious activity. This is also why when people talk about "hardware backdoors" in a security researcher they get laughed at. They are only useful by being unknown and to a limited group of people.

Windows tried to add boot security (called System Guard) to prevent firmware based attacks on a line of PCs called "Secured-core" but they are a questionable half solution that avoids the real solution. Dmytro Oleksiuk (cr4sh) is a very good researcher who develops a lot of PoC UEFI bootkits and he has some good material about the subject matter.

Desktop boot security is fucked. "Secure boot" is nothing like the Verified Boot used in Android, iOS, GrapheneOS, ChromeOS and ARM Macs. Desktop OSes need to move towards being adminless and make features like sandboxing for apps mandatory. Android works really well with verified boot because most of the OS is an immutable, adminless workspace that separates all of what the user does in it's own place. The desktop OSes also trust the hardware connected to it and their drivers too much.