Logo
blank Skip to main content

What Is a Rootkit?

Cybersecurity

Share this article

To detect rootkits accurately and respond effectively, it’s essential to understand how these threats work and the forms they can take. 

In this post, we examine existing types of rootkits and the key methods used to detect, remove, and prevent rootkit attacks.

Contents:

What is a rootkit? 

A rootkit is a stealthy type of malware that gives attackers continuous administrator‑level (root) access to a compromised system while actively hiding its presence.

Instead of causing immediate, visible damage, rootkits focus on persistence and evasion, often operating at low system levels such as the kernel or bootloader. Rootkit malware can intercept system calls, hide files and processes, tamper with logs, and bypass or disable security controls. 

As a result of a rootkit attack, cybercriminals can remotely control affected devices, steal data, and quietly maintain long‑term access to corporate infrastructure.

How does a rootkit work?

Rootkit malware operates in the following way:

1. Get initial access. Rootkits can access the system through phishing emails, malicious downloads, or exploited system vulnerabilities, or by bundling with other malware (such as trojans).

2. Escalate privileges. After accessing the system, a rootkit elevates its privileges to the administrator or root level. This allows the malware to modify system files, interfere with security tools, and control core system processes.

3. Conceal presence. Rootkits operate at low system levels, where they modify or intercept OS components, making their activity invisible to most standard security tools.

4. Enable malicious activity. After establishing within a system, rootkits can facilitate credential theft, data exfiltration, installation of additional malware, and suppression of security controls.

5. Maintain persistence. Even after system reboots, many rootkits can remain active by modifying startup processes, reinserting themselves if partially removed, and persisting outside the OS (for example, in firmware).

Types of rootkits

Rootkits can be categorized by where they hide in the system:

  • User-mode rootkits operate at the application level by modifying or replacing user‑space tools and APIs, such as system monitors or task managers.
  • Kernel-mode rootkits run inside the OS kernel and intercept core functions. They can hide processes, files, registry entries, or network activity and suppress security alerts.
  • Bootkits infect the bootloader and load before the operating system, gaining control of the system from the earliest startup stage.
  • Firmware rootkits reside in device firmware (e.g., BIOS/UEFI or peripheral firmware). They can survive OS reinstalls and re‑infect a system after cleanup.
  • Hypervisor (virtualized) rootkits operate beneath the operating system using virtualization to intercept and manipulate OS operations, making detection extremely difficult.
  • Memory rootkits live only in RAM, avoiding writes to disk to reduce their forensic footprint. By running in RAM, memory rootkits can evade many traditional detection mechanisms, may degrade system performance, and are automatically removed after a system reboot.
  • Library rootkits replace or hook shared libraries (such as libc on Linux or system DLLs on Windows) to alter program behavior, filter outputs, or redirect system calls.
  • Cloud and container rootkits hide inside containers, sidecars, or shared base images in cloud‑native environments. Attackers may use Kubernetes DaemonSets or tampered init containers to persist across nodes and pods and obscure malicious activity.

Examples of rootkit malware

Let’s explore a few examples of successful rootkit attacks:

RESURGE rootkit

RESURGE rootkit exploited Ivanti Connect Secure vulnerabilities (CVE‑2025‑0282) for espionage. This malware was deployed in March 2025 and functions simultaneously as a rootkit, backdoor, dropper, proxy, and tunneling tool. RESURGE rootkit achieves stealth on 32‑bit Linux systems through process injection and maintains persistence even after reboot.

LinkPro Linux rootkit

The LinkPro Linux rootkit was identified in October 2025 during an investigation into compromised AWS environments. LinkPro relies on eBPF modules for stealth, activating only when it receives special TCP packets with a window size of 54321. This rootkit enables remote access, process hiding, and persistence in cloud and Kubernetes environments after exploiting exposed or vulnerable Jenkins pipelines.

Zero Disco rootkits

Fileless Linux rootkits were deployed on Cisco switches (specifically 9300/9400 series) via exploitation of an IOS/IOS XE SNMP flaw (CVE‑2025‑20352). These rootkits are part of the October 2025 Operation Zero Disco campaign. During an attack, the rootkits hook IOSd memory, set attacker‑controlled universal passwords (commonly containing “disco”), and hide activity to maintain long-term access.

VoidLink framework

VoidLink is an AI-based Linux malware framework for cloud‑native environments that was disclosed by Check Point Research in December 2025. It uses custom loaders, modular implants, and kernel‑level rootkits. By compiling kernel‑specific rootkits on the server side and combining eBPF‑based stealth, adaptive EDR evasion, and fileless execution, VoidLink significantly reduces visibility in containerized and Kubernetes environments.

How to detect rootkits 

To identify rootkit attacks, security engineers use different methods such as:

1. Behavioral analysis

This method monitors the system for abnormal activity such as unexpected CPU or network spikes, disabled security tools, altered logs, or processes that resist termination. Modern EDR/XDR solutions also profile such anomalies and can surface deviations in normal system behavior.

2. Cross-view detection

This method aims to compare what the operating system reports against direct hardware queries to reveal hidden discrepancies. Such discrepancies indicate that something is hiding (for example, when a process is absent from the task manager but is present in a low-level memory scan).

3. Memory analysis

Direct memory inspection, including live memory forensics and offline memory dumps, can expose unauthorized code injections, concealed drivers, and patched kernel routines that evade standard OS-level monitoring. By analyzing volatile memory, security teams can detect malware artifacts operating beyond the operating system’s normal visibility and control mechanisms.

4. Integrity monitoring

Comparing system binaries and configurations against known‑good baselines (cryptographic hashes, file verification, or driver signature checks) can detect modifications to core components. This method includes kernel image validation, system call table inspection, and PE integrity checks.

5. Boot-time scanning

Scanning before the operating system fully loads helps identify boot‑level rootkits that can intercept or manipulate system startup mechanisms. This method prevents the rootkit from hiding during normal runtime.

How to remove rootkits

Removing a rootkit can range from relatively straightforward to extremely complex, depending on where it resides (user mode or kernel, bootloader or firmware) and how long the attacker has maintained persistence in your environment.

Typical remediation approaches include:

  • Booting from a trusted rescue environment to scan offline. Start the affected machine from a clean rescue disk or trusted bootable media and perform full scans before the compromised OS loads. This helps expose and remove rootkits that hide from tools running on the infected system.
  • Repairing boot components when a bootkit is suspected. On legacy BIOS/MBR systems, tools like bootrec /fixmbr and bootrec /fixboot can repair damaged boot records. On modern UEFI/GPT systems, focus on rebuilding the EFI bootloader and BCD with vendor tools or Microsoft utilities such as bcdboot
  • Reinstalling the operating system on a wiped or freshly provisioned disk. For many user-mode and kernel-mode rootkits, the most reliable option is to back up essential data, securely wipe the system drive, and perform a clean OS installation from trusted media. But this may not be sufficient if the attacker has compromised the bootloader or system firmware.
  • Changing all credentials from a clean device. From a known-clean machine, reset passwords and rotate keys for local and domain accounts, VPN and cloud services, email, and other privileged accounts.
  • Reflashing firmware for suspected firmware-level rootkits. In rare but severe cases where compromises survive OS reinstallations and disk replacements, reflashing BIOS/UEFI, storage, or peripheral firmware with official vendor images may be necessary. This is a high‑risk step that should be planned and executed with experienced incident response or hardware security specialists.

How to prevent rootkits

Preventing rootkits means stopping attackers from gaining privileged, persistent access to the operating system or firmware. For engineering teams building secure systems or protecting enterprise infrastructure, an effective prevention approach must combine secure development practices, robust OS configuration, and layered security controls.

Keep all layers of the system updated

Rootkits often exploit known vulnerabilities in the kernel, firmware, or supporting drivers. It’s possible to reduce exposure by:

  • Enabling automated OS and security updates
  • Regularly updating drivers, runtime libraries, hypervisors, and browsers
  • Tracking and patching firmware (BIOS/UEFI) across enterprise hardware

Apply least‑privilege access and strict privilege elevation policies

As rootkits require administrator or kernel-level access, you can prevent privilege escalation by:

  • Using non‑privileged accounts for regular operations
  • Enforcing just‑in‑time admin access and MFA for privilege elevation
  • Enabling UAC or enterprise equivalents to limit unapproved kernel interactions
  • Restricting driver installation permissions to trusted administrators or automated deployment tools

Use security solutions that detect and block rootkit behavior

Modern enterprise‑grade protection solutions can intercept rootkits before installation. For example:

  • EDR tools with kernel telemetry can capture unauthorized driver loads and suspicious API hooking
  • Security agents with hardware-assisted virtualization can analyze kernel behavior in isolation
  • Real-time antivirus and anti-exploit engines can block known rootkit droppers

Enable and enforce Secure Boot

Secure Boot ensures the boot process runs only signed, trusted components. This can:

  • Prevent bootkits from loading before the OS
  • Protect against tampering with bootloaders and early kernel modules
  • Reduce the attack surface for persistent firmware-level threats

Use driver signing and kernel enforcement policies

To prevent kernel-mode rootkits, it’s essential to:

  • Enable driver signature enforcement on all managed endpoints
  • Allow only verified and enterprise-approved drivers
  • Use code signing infrastructure for internal driver development

This significantly reduces the risk of unsigned or malicious kernel modules being loaded.

Segment network and system environments

Segmentation limits an attacker’s ability to move laterally after initial compromise:

  • Use network segmentation to isolate sensitive systems
  • Apply microsegmentation in data center and cloud environments
  • Enforce strict access controls for systems with kernel-level or firmware-level responsibilities

Perform regular integrity checks and deep security audits

Even without visible symptoms, it’s important to:

  • Run periodic deep scans or offline inspections using bootable recovery tools
  • Validate the integrity of OS images, kernel modules, and critical system files
  • Monitor driver load events and kernel hooks for suspicious anomalies

How can Apriorit help to prevent a rootkit attack? 

With 20+ years of experience delivering cybersecurity solutions of all levels of complexity, Apriorit adheres to secure SDLC principles at every stage of product development. 

Our cybersecurity services include:

  • Reducing the attack surface across operating systems and applications
  • Hardening drivers, kernel-level components, firmware, and other low-level software
  • Designing and implementing custom monitoring and detection solutions for stealthy low-level threats
  • Applying reverse engineering and malware analysis expertise to strengthen defensive mechanisms
  • Developing endpoint protection features tailored to complex system environments
  • Auditing code to identify vulnerabilities that may be exploited by rootkits and other advanced threats

Our experts are ready to help you improve the protection of your existing software and legacy solutions.

Searching for a trusted cybersecurity engineering partner?

Collaborate with Apriorit experts to strengthen your product’s defense against evolving threats.

Have a question?

Ask our expert!

Tell us about
your project

...And our team will:

  • Process your request within 1-2 business days.
  • Get back to you with an offer based on your project's scope and requirements.
  • Set a call to discuss your future project in detail and finalize the offer.
  • Sign a contract with you to start working on your project.

Do not have any specific task for us in mind but our skills seem interesting? Get a quick Apriorit intro to better understand our team capabilities.

Book a meeting

* By sending us your request you confirm that you read and accepted our Terms & Conditions and Privacy Policy.