Rootkit attack example: Rootkits that put the hacker in control
Rootkits are at the heart of the hacker’s illegal work, allowing them to gain control over a computer system, but many are unfamiliar with the term. Below, we take an in-depth look at what rootkits are and how you can keep an eye on the malicious activity in your devices and operating systems. For a more detailed understanding of what malware entails, check out our guide on what is malware.
What are rootkits?
Cyber threats might not be the first thing that comes to mind when you hear the word rootkit, but rootkit malware is at the heart of what hackers do in cybercrime.
Rootkit is a contraction of “root” and “kit”. Root refers to “admin”, which is an administrator. Kit is another word for tools for the software. Therefore, a rootkit is a set of tools that gives someone the role of an administrator - or, as they are also called in the cyber world, privileged users - on websites and systems.
This is one of the reasons why rootkits are so dangerous, because malicious actors can gain the role of a privileged user and thus access to multiple systems and data. Usually, privileged users are IT managers because they need to be able to access all functions that employees can access - if there’s a problem, IT needs to be able to fix it. This makes them an attractive target for hackers, as they can access more via the IT manager’s profile than if they gain access via an employee in, for example, the sales department. If the hacker targets a person from sales, they will only have access to a limited amount of data compared to the data IT has access to.
Invisible activity
Another thing that makes rootkits dangerous is that you can’t detect the hacker’s activity on the device they are hacking. If a hacker manages to get a rootkit on your device, they can sit and circumvent the device from a remote location. Typically, they can get rootkits on the victim’s devices through phishing. This means that the hacker has sent an email with a malicious link and the victim has clicked on it - thus installing the rootkit on the device.
Rootkits can be used to:
-
Monitor activities
-
Steal sensitive data
-
Delete or disable antivirus software programs
-
Install malware
You might think that rootkits are viruses that get installed on devices. But it’s actually a type of malware. In principle, viruses are also malware, but only one type of malware - rootkits have a lot more functions than normal viruses.
The danger of rootkits
As mentioned, rootkits are a more dangerous type of malware. But it also requires a bit of elaboration.
User mode rootkits operate at the user level of an operating system, modifying system libraries or applications to conceal their presence and pose significant security risks.
The first reason why rootkits are something to be cautious of is that they are more insidious than other types of malware. We’ve already mentioned that they can’t be detected immediately, but they can also spread through downloads, phishing emails and other tools hackers use when hacking. This can be done, for example, by using Trojans that hide malware behind software that looks legitimate and safe. If you'd like to learn more about Trojans and their impact, explore our detailed guide on what is a Trojan.
Rootkits will not attract attention if installed on a device, and you will not experience any major symptoms that the device is infected. This means that they can even bypass security programs. Therefore, one of the only solutions to make sure you don’t have rootkits on your device is to format the device’s drive and reinstall the operating system.
Finally, rootkits’ many features are also a threat to our software and devices. Experts call rootkits a Swiss Army knife, because it can do so many different things. Some rootkits can steal and install:
-
Keyloggers
-
Login credentials
-
Disable security protocols
-
Sensitive data
-
Monitor activities
Other rootkits can force access to systems and install even more malware on the device. If a hacker possesses the right rootkit, they can install and deploy a bot, expanding their botnet
Different types of rootkits
There are many different types of rootkits and they are used according to need and purpose:
-
Firmware rootkit: This is a type of rootkit that exploits the role of firmware on devices. Firmware is a type of software that provides basic control over the specific hardware it's coded for. There's firmware on every device, from tablets and phones, to our washing machines and TVs. Because it's such a basic element in technology, detecting rootkits in firmware can be a challenge - this makes it a difficult rootkit for security professionals to discover and thus an even more attractive malware for hackers.
-
Memory rootkit: A memory rootkit attaches itself to your computer's RAM, which is short-term storage on your computer. It stores information that is being actively used so that the information stored in RAM can be accessed quickly and easily. Memory rootkits can slow down your computer's processor because it has been affected by malware. Additionally, you can typically remove the memory rootkit by restarting your computer, as a restart clears the RAM - and thus removes the rootkit that has attached itself to the RAM.
-
Kernel rootkit: The kernel is the core of your operating system. It is therefore a critical part of your device and getting a rootkit attached to it can do a lot of damage. The rootkit attacks essential functions of your operating system, giving the hacker control over vital elements of your device.
-
Bootloader rootkit: A computer's bootloader boots systems when you turn on the device. In other words, the bootloader loads the operating system. A rootkit that attaches itself to this function will affect the software and operating system before it's ready to launch and boot. Bootloader rootkits are not as dangerous as some of the other types of rootkits as they have built-in security on most devices.
-
Application rootkit: This is a type of rootkit that modifies existing apps and files on your device. So every time you use the programs, the hacker can keep track of your activities. However, this is one of the most obvious rootkits and is therefore easy to detect as it will often cause programs and files to behave oddly.
Rootkit Techniques and Tactics
Rootkits employ various techniques and tactics to evade detection, gain unauthorized access, and maintain control over a compromised system. Understanding these methods is crucial for effective rootkit detection and prevention. Some common techniques used by rootkits include:
-
Kernel mode manipulation: Kernel mode rootkits modify the operating system’s kernel to gain privileged access and control over the system. By embedding themselves in the core of the operating system, these rootkits can execute commands with the highest level of authority, making them particularly dangerous and difficult to detect.
-
Code injection: Rootkits inject malicious code into legitimate system processes to hide their presence and execute unauthorized actions. This technique allows the rootkit to blend in with normal system operations, making it harder for security software to identify the malicious activity.
-
API hooking: Rootkits intercept and modify system calls to manipulate the behavior of applications and system components. By altering the way applications interact with the operating system, rootkits can conceal their activities and maintain control over the compromised system.
-
File system manipulation: Rootkits modify or replace system files to conceal their presence and avoid detection. This can involve altering critical system files or creating hidden files that are not visible to standard file management tools.
-
Network traffic manipulation: Rootkits intercept and modify network traffic to steal sensitive information or communicate with command and control servers. This allows hackers to exfiltrate data or receive instructions without raising suspicion.
Symptoms of rootkit infection
Rootkit infections can manifest in various ways, making it challenging to detect their presence. Being aware of the symptoms can help in early detection and mitigation. Some common symptoms of rootkit infection include:
Unexplained system crashes or freezes: Rootkits can cause system instability and crashes by modifying system files or injecting malicious code. If your computer frequently crashes or freezes without a clear reason, it could be a sign of a rootkit infection.
Slow system performance: Rootkits can consume system resources, leading to slow performance and responsiveness. If your computer suddenly becomes sluggish, it might be due to a rootkit consuming CPU and memory resources.
Unusual network activity: Rootkits can communicate with command and control servers, leading to unusual network activity and data transmission. Monitoring your network for unexpected data transfers can help in identifying potential rootkit infections.
Modified system settings: Rootkits can modify system settings, such as registry entries or configuration files, to maintain their presence and control. If you notice changes to your system settings that you did not make, it could be a sign of a rootkit.
Difficulty running security software: Rootkits can disable or block security software to avoid detection and removal. If your antivirus or other security programs are not functioning correctly, it might be due to a rootkit interfering with their operation.
Notable rootkit attacks
Several notable rootkit attacks have been reported in recent years, highlighting the severity and impact of these types of malware. Some examples include:
-
Stuxnet: A highly sophisticated kernel mode rootkit that targeted industrial control systems in Iran. Stuxnet was designed to sabotage Iran’s nuclear program by causing physical damage to centrifuges, demonstrating the potential for rootkits to cause real-world harm. If you're interested in learning about this attack, check out our article on Stuxnet: The first digital weapon.
-
Duqu: A complex rootkit that targeted various organizations worldwide, predominantly in Iran. Duqu was used for cyber espionage, collecting information to facilitate future attacks, and showcased the use of rootkits in long-term, strategic cyber operations.
-
Flame: A highly sophisticated and complex cyber espionage tool that targeted Middle Eastern countries. Flame was capable of recording audio, capturing screenshots, and logging keystrokes, making it one of the most versatile and dangerous rootkits ever discovered.
-
ZeroAccess: A kernel mode rootkit that infected millions of computers worldwide, primarily in the United States and Europe. ZeroAccess was used to create a botnet for various malicious activities, including click fraud and Bitcoin mining, highlighting the financial motivations behind many rootkit attacks.
-
Spicy Hot Pot: An advanced persistent threat (APT) group associated with the Chinese government, which used rootkits to compromise systems and steal sensitive information. This attack underscored the use of rootkits in state-sponsored cyber espionage and the ongoing threat posed by nation-state actors.
These examples demonstrate the severity and impact of rootkit attacks, highlighting the need for robust detection, prevention, and removal measures to protect against these types of malware.
Dealing with rootkit detection
You can detect rootkits by, e.g., noticing if your
-
systems crash
-
software fails
-
antivirus software programs crash
In addition, there are various things you can do to prevent rootkits from infecting your software and devices.
First of all, you can scan your systems for unidentified files, programs and threats. By scanning your devices, you can detect malware that can harm your device and systems.
Next, you can be aware of phishing as this is one of the methods hackers use to install malware and rootkits on your device. As always with cybersecurity, good cyber defense starts with employees being trained in cybersecurity. One of the first pieces of advice in awareness training is to avoid clicking on links and files in emails, because you never know if they contain malicious software. For a deeper understanding of phishing tactics and how to avoid them, check out our guide on what is phishing.
Finally, remember to keep your devices and software updated, as it is through holes in software and operating systems that hackers are able to penetrate. Updates contain patches that patch the holes, making it harder for cybercriminals to get through.
This post has been updated on 22-01-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup