TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is a Rootkit? How Rootkits Work, Their Types & Detection

A rootkit gives an attacker deep, privileged control of a system while hiding its own presence — and that of other malware — from the operating system and security tools. Here's how they work.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

A rootkit is a type of malware designed to do two things at once: grant an attacker deep, privileged ("root") control over a system, and hide its own presence — and often the presence of other malware — from the operating system, the user, and security tools. The name combines "root" (the highest level of access on Unix-like systems) with "kit" (the toolset used to obtain and keep it). A rootkit's defining quality is stealth: its whole purpose is to make sure no one knows it's there.

In short: most malware tries to do damage; a rootkit tries to make sure you never find out it exists. That stealth is what makes rootkits among the most dangerous and hardest-to-remove threats in cybersecurity.

How a rootkit works

Rootkits achieve concealment by inserting themselves between you and the truth about your system. When a security tool or the operating system asks "what files, processes, and network connections exist?", a rootkit intercepts that request and edits the answer — removing itself and anything it's protecting from the list. This interception is often done by "hooking" system calls or manipulating the data structures the OS relies on.

The deeper a rootkit sits in the system's layers, the more powerful and harder to detect it becomes — because it can lie to everything running above it. A rootkit operating at the kernel level can deceive every application, including your antivirus, because those tools depend on the very system it has compromised.

How rootkits get installed

A rootkit usually isn't the initial infection — it's what an attacker installs after gaining access, to maintain it. Common routes include:

  • Riding in as the payload of a trojan the user was tricked into running.
  • Exploiting an unpatched vulnerability to gain the privileges needed to install at a deep level.
  • Bundling with pirated software, malicious drivers, or compromised updates.
  • Physical access or supply-chain tampering, in the case of firmware rootkits.

Types of rootkits

Rootkits are classified by how deep in the system they operate — from least to most dangerous:

  • User-mode rootkits operate at the application level. They're the easiest to detect and remove because they run with the same privileges as normal programs.
  • Kernel-mode rootkits run inside the operating system's core. With this level of control they can hide almost anything and subvert security tools directly — far more dangerous and harder to find.
  • Bootkits infect the boot process (the bootloader or Master Boot Record) so the rootkit loads before the operating system and its defenses even start.
  • Firmware / hardware rootkits hide in the firmware of the BIOS/UEFI, network card, or other hardware. They can survive operating-system reinstalls and even hard-drive replacement, making them extraordinarily persistent.
  • Hypervisor (virtualized) rootkits sit beneath the operating system itself, running it inside a virtual machine the rootkit controls — a largely research-level but conceptually severe threat.

Why rootkits are so dangerous

  • They hide other threats. A rootkit can conceal keyloggers, backdoors, and spyware, letting an attacker maintain long-term, undetected access.
  • They blind your defenses. Because they subvert the OS, the security tools you'd normally rely on may report a clean system.
  • They enable persistence. Rootkits are a favorite of advanced persistent threats precisely because they keep access alive for months or years.
  • They can survive cleanup. Firmware and boot-level rootkits can persist through the very steps people use to recover.

How to detect a rootkit

Detecting something built specifically to avoid detection is hard, but several approaches work:

  • Behavioral detection. Modern EDR watches for the suspicious behavior of installing hooks or tampering with the kernel, rather than trusting the system's own reporting.
  • Difference-based / cross-view detection. Comparing what the operating system reports against what a lower-level or external scan finds — discrepancies reveal what the rootkit is hiding.
  • Memory analysis. Examining a raw memory dump can expose a rootkit that's invisible while the system is running normally.
  • Offline / external scanning. Booting from clean, trusted external media (so the rootkit isn't running) and scanning the disk from outside its control.
  • Boot integrity checks. Secure Boot and measured boot help detect tampering with the boot process.

How to remove a rootkit

For user-mode rootkits, specialized removal tools may suffice. But for kernel-mode and deeper rootkits, the only reliable answer is usually to wipe and rebuild the system from known-good media, because you can't trust a compromised OS to clean itself. Firmware rootkits may additionally require re-flashing firmware or, in the worst case, replacing hardware. This is also why rootkit infections should be treated as a serious incident: assume that any credentials used on the machine are compromised and reset them from a clean device.

Notable rootkit examples

Real cases show how varied rootkits can be:

  • Sony BMG (2005): a copy-protection system on music CDs secretly installed rootkit-like software on listeners' computers to hide itself — a scandal that pushed the term "rootkit" into mainstream awareness and demonstrated the privacy and security dangers of stealth software.
  • TDL-4 / TDSS: an advanced bootkit that infected the Master Boot Record to load before Windows, powering a large and resilient botnet that was notoriously hard to remove.
  • Stuxnet: the famous industrial-sabotage worm used rootkit components to hide its presence on both Windows systems and the targeted control systems.
  • Firmware rootkits like LoJax: demonstrated UEFI firmware infection that survives operating-system reinstalls and hard-drive replacement — the most persistent class of all.

Across these examples, the common thread is the trade of effort for persistence: rootkits take more skill to build and deploy, but they reward attackers with control that's exceptionally hard to detect and eradicate.

Where threat intelligence fits

Because rootkits are stealthy and often tied to sophisticated actors, knowing the techniques and indicators associated with active rootkit campaigns is invaluable. Threat intelligence and malware analysis reveal how specific rootkits hook the system and what artifacts they leave, giving defenders concrete behaviors to hunt for even when the rootkit is doing its best to stay invisible.

The bottom line

A rootkit is malware built for privileged control and stealth — it hides itself and other threats by subverting the system that's supposed to detect it. The deeper it runs (user-mode, kernel, bootkit, firmware), the more dangerous and persistent it becomes. Detection relies on behavioral EDR, cross-view and memory analysis, and trusted offline scanning, while removal of deep rootkits typically means rebuilding from clean media. To stay aware of the stealthy threats circulating today, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is a rootkit?

A rootkit is malware designed to give an attacker deep, privileged control of a system while hiding its own presence — and often other malware — from the operating system, the user, and security tools. Its defining feature is stealth.

What are the types of rootkits?

From least to most dangerous: user-mode rootkits (application level), kernel-mode rootkits (inside the OS core), bootkits (infect the boot process), firmware/hardware rootkits (hide in BIOS/UEFI or hardware), and hypervisor rootkits (run the OS inside a virtual machine they control).

How do you detect a rootkit?

Use behavior-based EDR, cross-view (difference-based) detection that compares OS reports against lower-level scans, memory analysis, and offline scanning from trusted external media. Boot integrity features like Secure Boot help detect boot-level tampering.

How do you remove a rootkit?

User-mode rootkits may be removed with specialized tools, but kernel-mode and deeper rootkits usually require wiping and rebuilding the system from known-good media, since a compromised OS can't be trusted to clean itself. Firmware rootkits may need firmware re-flashing or hardware replacement.

Why are rootkits so hard to detect?

Rootkits insert themselves between you and the system's true state, intercepting requests and editing the answers to hide themselves. A kernel-level rootkit can deceive every application above it, including antivirus, because those tools rely on the very system it has compromised.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is Malware? The Main Types ExplainedAttacksWhat Is a Trojan Horse? How Trojan Malware Works & Its TypesAttacksWhat Is Fileless Malware? How It Works & How to Detect ItOperationsWhat Is EDR? Endpoint Detection and Response Explained