What is a rootkit?
Rootkits are malicious software programs designed to hide their presence while maintaining persistent access to compromised systems. Unlike typical malware, they operate at deep system levels, either kernel or application, making detection extremely challenging.
These hidden programs enable attackers to steal data, monitor user activity, and manipulate system functions. What makes rootkits particularly dangerous is their ability to remain invisible to traditional antivirus software and security tools, as attackers increasingly target hardware and firmware where detection evasion is more difficult.
The term comes from "root," the highest privilege level in Unix and Linux operating systems, and "kit," referring to tools used to gain control. While rootkits are mostly associated with cybercrime—helping attackers steal data, install malware, or spy on users, security teams sometimes use these kits for penetration testing, digital forensics, and tracking stolen information.
Watch 5-minute demo
Watch the demo to learn how Wiz Defend correlates runtime activity with cloud context to surface real attacks, trace blast radius, and speed up investigation.
How does a rootkit attack work?
Rootkit attacks follow a predictable pattern of infiltration and concealment:
They begin by embedding themselves deep within a system's kernel or user space, targeting the most privileged areas of the operating system (OS).
Once established, rootkits intercept API calls and modify system processes to maintain persistent access.
They actively hide their presence by concealing files, processes, and network activities from security monitoring tools.
They often disguise themselves as legitimate applications or are embedded in seemingly harmless documents like PDFs.
Once an unsuspecting user installs the infected software or opens the malicious file, a dropper (a small program) delivers the rootkit, which then loads itself into the system—either immediately or when triggered by specific conditions.
A rootkit attack usually compromises or modifies data, hardware, firmware, ports, virtual machines, system configurations, and codebases. With near-total access to these resources, hackers can steal or expose personal and financial information, ransom systems, inject other malware, engineer DDoS attacks, and more. Stuxnet and Machiavelli are two prominent examples of rootkit attacks.
Types of rootkit attacks
Rootkits are classified by the system components they infect. Where a rootkit strikes typically determines how much access hackers have, how much damage they can do to infected computer systems, and how easy it is to detect and halt the attacks.
Kernel-mode rootkit
One of the most dangerous types of rootkit, kernel mode rootkits are also (thankfully) difficult to build. However, once deployed, they are hard to detect.
Runs with ring 0 privileges; targets the OS at the kernel level
Exploits loadable kernel modules (LKMs) or device drivers to distort or delete the entire OS code
Modifies system calls (syscalls), syscall handlers, and syscall instructions to interrupt communication and increase memory consumption
Examples: Spicy Hot Pot, Adore, Zero Access, Knark, FudModule, and Da IOS
Firmware rootkit
Firmware rootkits are usually embedded in unified extensible firmware interfaces (UEFIs) and load right before the system boots up.
Targets the serial peripheral interface (SPI) flash, basic input/output systems (BIOS, which directs systems' booting operations), firmware images, and other related firmware
May go undetected because firmware code is rarely scanned for integrity
Examples: LoJax, MoonBounce, and MosaicRegressor
Hardware rootkit
Hardware rootkits are firmware-based rootkits that are embedded on the hard disk to install other malware (e.g., keyloggers).
Typically found on the EFI system partition level (ESP level) or in routers, hard drives, CPUs, or GPUs
Can be easily expunged by reformatting the hard drive, unlike SPI-level firmware rootkits, which usually survive hard disk formatting and restarts
Examples: FinSpy, Cloaker, and VGA
Virtual rootkit/Virtual machine-based rootkit (VMBR)
VMBRs are a ring-1 rootkit, like hardware and firmware rootkits.
Infects virtual machines (VMs), which run multiple OSes on a single host
Loads under the host OS kernel, impersonates it, puts it and its components in a newly created VM, then boots up the OS to perform malicious activities (e.g., intercepting hardware-to-host OS communication)
Difficult to detect
Examples: CloudSkulk and BluePill
Bootkit/Bootloader rootkit
This type of rootkit boots up alongside a machine's OS by attaching to the master boot record (MBR), which loads the machine's OS, or the volume boot record (VBR), which initiates the boot process.
Hacks the MBR in order to compromise the boot process
Remains in control of the machine after booting, attacks full disk encryption systems, and acquires kernel-level control
Examples: ESPecter, Stoned Bootkit, and Rovnix
Application/user-mode rootkits
A user-mode/application rootkit attaches to popular apps and programming interfaces.
Secures unauthorized access, intercepts syscalls, and disrupts kernel functions
Easy to detect with rootkit scanners or strong antivirus because it runs in ring 3 and tampers with app behavior
Examples: Hacker Defender, r77, and Aphex
Memory rootkit
A memory rootkit runs in the RAM.
Consumes compromised system's resources and impedes memory performance
Easy to detect and eliminate
Rootkit attack examples
Rootkits have been used in some of the most notorious cyber incidents. Here are a few recent examples that demonstrate their impact:
UNC3886's use of Reptile and Medusa rootkits (2024): A suspected Chinese threat actor, UNC3886, employed open-source rootkits named 'Reptile' and 'Medusa' to maintain covert access on VMware ESXi virtual machines. This allowed them to conduct credential theft, execute commands, and move laterally within networks.
Krasue Linux rootkit (2023): Active since 2020, the Krasue rootkit targeted organizations in Thailand, particularly in the telecommunications sector. It hooked into system calls to hide its activities, evading detection for over two years.
Symbiote and OrBit rootkits (2022): Wiz discovered Linux rootkits that leveraged dynamic linker hijacking (LD_PRELOAD) to evade detection, harvest credentials, and provide stealthy remote access. Symbiote operates as both a backdoor and rootkit, hooking libc and libpcap functions, while OrBit modifies the loader's behavior to ensure persistence.
Chinese Hackers' rootkit deployment (2021): Chinese threat actors deployed a new rootkit to spy on targeted Windows 10 users, executing in-memory implants that could install additional payloads during runtime.
Detecting, preventing, and removing rootkits
Rootkits are stealthy threats that require multiple detection and prevention strategies to uncover and mitigate effectively. Here's how to uncover and defend against rootkits at every layer of your infrastructure.
Detection mechanisms
Rootkit detection requires multiple complementary approaches because these threats target different system layers and employ varying concealment techniques. No single detection method can identify all rootkit variants effectively.
Each detection mechanism serves specific scenarios based on the rootkit's target location and sophistication level:
| Detection Method | How It Works | Best for... |
|---|---|---|
| Behavioral analysis | Monitors for unusual activity like hidden processes, unexpected privilege escalation, or suspicious network connections | Identifying active rootkit behavior |
| Memory forensics | Analyzes running processes and memory dumps to find unauthorized code modifications | Detecting kernel-level rootkits |
| Integrity monitoring | Compares current system files against known-good baselines to identify tampering | Finding file-based rootkit modifications |
| Cross-view detection | Compares what the OS reports against direct hardware queries to reveal hidden discrepancies | Exposing rootkits that manipulate OS-level reporting |
| Boot-time scanning | Examines the system before the OS loads, preventing rootkits from interfering with the scan | Detecting bootkits and firmware rootkits |
Cloud rootkit prevention demands specialized strategies for distributed infrastructure and shared security responsibilities. Unlike traditional on-premises environments, cloud security operates under a shared responsibility model where providers secure infrastructure while customers protect their applications and data.
This division of responsibility requires adapting rootkit prevention techniques to work within cloud-native architectures and security frameworks.
Prevention in cloud environments
Consistent software updates and patch management: Utilize cloud services for automatic software updates and patch management to keep operating systems, applications, and cloud infrastructure components up to date.
Cloud-native security tools: Leverage the cloud provider's native security tools and services that offer antivirus and anti-malware capabilities, ensuring they're configured for automatic updates and regular scans.
Identity and access management (IAM):
Utilize the cloud provider's IAM services to manage access to cloud resources securely.
Implement principle of least privilege (PoLP) for all cloud accounts and services.
Employ multifactor authentication for accessing cloud environments.
Secure configuration and hardening:
Follow the cloud provider's best practices for securing and hardening cloud environments.
Disable unnecessary services and APIs.
Use security groups and network ACLs to control inbound and outbound traffic.
Encryption and secure data storage: Use encryption for data at rest and in transit. Ensure cloud storage services are configured with appropriate access controls.
Implement cloud security posture management (CSPM): Use CSPM tools to automatically detect and remediate misconfigurations and non-compliance with security policies.
Detection in cloud environments
Cloud monitoring and logging:
Enable the cloud provider's logging and monitoring services (e.g., AWS CloudTrail, Azure Monitor, Google Cloud Operations Suite) to detect unusual activities that could indicate a rootkit.
Implement a centralized logging solution for better visibility across cloud and on-premises environments.
Anomaly detection:
Utilize cloud-based intrusion detection and prevention systems that offer anomaly detection capabilities.
Leverage machine learning and AI-driven security solutions provided by cloud services to detect unusual behavior patterns and behavioral cloud IOCs.
File integrity monitoring (FIM): Use FIM solutions that are compatible with cloud environments to monitor changes to critical files and configurations.
Network traffic analysis: Employ cloud-native or third-party network traffic analysis tools to monitor for suspicious network activities that indicate a rootkit communication.
Response in cloud environments
Cloud-specific incident response plan: Adapt your incident response plan to include cloud-specific processes and procedures, leveraging cloud provider tools for isolation and mitigation.
Snapshot and backup: Regularly create snapshots and backups of cloud workloads and data. In case of a rootkit infection, these can be used to restore a known good state.
Automate response actions: Utilize cloud services to automate response actions, such as isolating infected instances, revoking access, and deploying clean instances.
Post-incident cloud forensics: Take advantage of cloud-native forensic tools and capabilities to analyze rootkit attacks, maintaining chain of custody and leveraging cloud logs for investigation.
Ensure you understand the specific features and services your cloud provider offers, and stay informed of the latest cloud security trends and threats. Collaboration with your cloud provider and continuous security assessments are key to protecting cloud environments from rootkit and other sophisticated attacks.
Preventing rootkit attacks with Wiz
Wiz's cloud security platform provides advanced rootkit detection and prevention capabilities designed specifically for cloud environments. By combining runtime analysis with behavioral monitoring, Wiz identifies rootkit activity that traditional security tools often miss.
The platform's comprehensive approach includes:
Runtime analysis: Wiz can analyze running processes and loaded libraries within your cloud environment. This can help detect anomalies that might indicate a rootkit hiding processes or modifying system behavior through techniques like Dynamic linker hijacking.
Drift detection: For containerized workloads, Wiz can detect changes in loaded libraries after the initial deployment. This helps identify if a rootkit has been injected into the container and altered its runtime behavior.
File integrity monitoring: Wiz can monitor the integrity of system files and identify rootkit-related modifications by comparing file hashes to a known good baseline.
Cloud workload protection platform (CWPP) features: As a CWPP solution, Wiz offers advanced threat detection capabilities that can unearth hidden activities. This includes looking for suspicious system calls, network connections, and process behavior that might indicate a rootkit at work.
Wiz's CNAPP helps you assess security risks (such as out-of-date software, misconfigurations, and anomalies) across all cloud workloads, libraries. and dependencies. To see how Wiz's comprehensive approach can protect your organization from rootkits and other advanced threats, request a demo today.
See Wiz in action
Experience how Wiz detects and prevents rootkits across your entire cloud infrastructure.
