Rootkits Uncovered: What They Are and Why You Should Care

Perhaps, you’ve never clicked on a shady link or downloaded a suspicious file.  

But despite all that, you still installed malware on your device. 

How? 

By doing something completely innocent - playing a music CD. 

In 2005, Mark Russinovich (a security expert and co-creator of a rootkit detection tool) did just that and made an alarming discovery: a rootkit on his computer. 

And it involved one of the biggest, most trusted names in entertainment: Sony BMG.  

After discovering the rootkit, Russinovich launched an investigation. His findings set off an uproar among music lovers, privacy advocates, and security experts. 

To which Sony BMG President Thomas Hesse famously quipped, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” His response led many to ask an important question. 

What exactly does a rootkit do? 

The year was 2005, and it was Halloween. 

Russinovich was looking forward to enjoying some music. 

He just never dreamed an innocent Van Zants CD could prompt extensive media coverage, federal investigations, class action lawsuits, and even a call for boycotting Sony products. 

But it did.  

And here’s how it started. After accepting an EULA (end-user license agreement) to play the CD, a rootkit was installed on Russinovich’s device, without him being any the wiser. 

Russinovich wasn’t the only victim: About 25 million CDs on over 500,000 networks around the world were affected. This included thousands of US military and defense networks. 

After burrowing deep into Windows systems, here’s what the rootkit did: 

• It hid Sony’s DRM (Digital Rights Management) software from antivirus programs. Sony insisted the DRM was necessary to prevent digital privacy. But, hackers capitalized on this announcement by creating a trojan (variously known as Backdoor.Ryknos, Breplibot, or Stinx-E4) to exploit the cloaking. 

After huge public outcry, the company released an uninstaller (to disastrous results). Not only did the tool not remove the rootkit, it introduced further security risks. This included the installation of additional software that could be itself exploited. 

• Some components of the rootkit installed even if users declined the EULA, which led to many Blue Screen of Death system crashes. 

• The rootkit allowed attackers to modify user data, hold computers hostage (for a ransom), and steal sensitive information like passwords, financial records, and corporate secrets. 

• The rootkit also had “phone-home” features that sent information about user IP addresses and listening habits back to Sony BMG. This data collection occurred without proper disclosure or user consent, thus violating privacy considerations. 

In short, the Sony BMG scandal is a real-world example of what happens when a rootkit is unleashed: It buries itself deep in your system and lets attackers spy on you and steal your data, all without your knowledge.

How many types of rootkits are there? 

Now that you know what a rootkit is, we’re going to take a closer look at the different types of rootkits you’re likely to encounter. 

Knowing these types is your first line of defense, because once you recognize the enemy’s tactics, you can better protect your data. 

Rootkit type	Where it hides	What it does	Why it’s dangerous
Firmware rootkits	In device firmware like BIOS or UEFI	Provides attackers persistent control over a device and can intercept/modify/hide data or system events at the hardware level	Almost impossible to detect or remove Survives reinstallation of the OS
Kernel mode rootkits	Deep in the core of your OS (the kernel)	Installs as kernel drivers to intercept event notification callbacks, which are the documented OS interfaces that process system events	Hardest to detect Operates with the highest OS privileges, which gives unrestricted access to your entire system Can perform virtually any function, such as stealing sensitive data, modifying kernel data structures to hide its presence, or disabling antivirus features.
User mode: Application rootkits	In regular user programs and applications	Manipulates application-level binaries and falsifies return data in response to app requests	Filters answers returned by system APIs to omit anything that reveals the presence of malware Hides indicators of compromise from antivirus tools
User mode: Library-level rootkits	Inside system libraries (e.g. dynamic link libraries	Modifies functions in system libraries to alter application behavior and intercepts API calls without changing the application	Allows attackers to replace standard system library files with malicious versions
Bootloaders (bootkits)	In the boot system that starts your OS	Infects your computer before the OS loads	Controls your system from the very start Attacks critical boot components like the BIOS firmware, master boot record, volume boot record, and the OS bootloader
Virtual or hypervisor rootkits	Control through a hypervisor on a virtual machine	Intercepts and manipulates hardware calls, OS operations, and virtual machine activities	Operates below the OS by hijacking a hypervisor, the software layer that controls virtual machines Difficult to detect because it hides below the OS Allows attackers to perform persistent and stealthy activities such as data theft, alteration of system behavior, and deletion of antivirus programs
Memory rootkits	Temporary storage (RAM) during operation	Loads into memory and disappears after reboot	Modifies system functions, kernel structures, or executable code in RAM to hide its presence

 

Source: Rootkits and bootkits: Reversing modern malware and next generation threats by Alex Matrosov 

As can be seen, the rootkits share some common characteristics: 

• Typically weaponized after privilege escalation, when an attacker has obtained administrative or kernel-level access 

• Designed to persist across system updates by cloaking malicious processes and tampered files 

• Difficult to detect because they integrate deeply into system components 

• Created to support lateral movement in espionage and data theft campaigns 

While stealthy, it’s important to know that rootkits can’t infect target systems on their own. They need help getting in, and this is where a dropper and loader comes in. 

The dropper is like a delivery service. It comes in the form of a file or program that installs the rootkit on the target device. Droppers can be delivered via malicious downloads, social engineering, or a software bundle. 

Meanwhile, the loader (a piece of malicious code) takes over after the dropper is delivered. The loader ensures the rootkit loads with the OS. Some loaders can even load the rootkit before the OS starts (as happens with bootkits or firmware rootkits). 

Ultimately, the loader is a critical element in the stealth process, enabling the rootkit to embed itself deep within your system to avoid detection. 

Below, we take a closer look at some of the most infamous rootkits and highlight what makes them a formidable nemesis in cybersecurity. 

What are real-life examples of rootkits? 

When invisible sabotage becomes a weapon, the rules of warfare are forever changed. Here are the rootkits that have made headlines around the world: 

Stuxnet 

Launched as a covert cyber operation known as Operation Olympic Games, Stuxnet is a worm with a kernel-level rootkit. 

Although neither government has officially acknowledged responsibility, it’s widely accepted that the U.S. and Israel spearheaded the effort to disrupt Iran’s uranium enrichment program at the Natanz nuclear facility. 

Once inside Natanz, Stuxnet targeted the Siemens Step7 software that controls the programmable logic controllers (PLCs) in centrifuge motors. It altered the speed of centrifuges and caused them to tear apart. Stuxnet even managed to fake normal readings, so facility operators saw no issues. 

Although some sources say Stuxnet destroyed nearly 1,000 centrifuges, others say the number could have been used as a disinformation campaign by Iran itself.  

Either way, Stuxnet marked a turning point in warfare, exposing the vulnerabilities in critical infrastructure worldwide and demonstrating that code can be weaponized to blur the lines between espionage and acts of war. 

Flame 

Researchers have discovered that early versions of Stuxnet contained code modules derived from Flame, suggesting a shared development lineage. 

Both Flame and Stuxnet used the same Windows vulnerabilities - like the print spooler exploit (MS10-061) and the LNK exploit (MS10-046) - to spread within networks. 

The researchers believe that Flame may have served as a reconnaissance tool to gather intelligence that informed Stuxnet’s development. 

Unlike Stuxnet, which targeted Iran’s nuclear program, Flame was used for espionage. Its mission was to spy on the governments in Iran, Lebanon, Syria, Sudan, and Israel. 

This malware is impressively sophisticated. It’s loaded with at least 20 known modules that can be swapped with new ones as needed, allowing attackers to adapt the functionality of the rootkit on the fly.  

And that’s not all: Flame is capable of turning on microphones, activating webcams, logging keystrokes, and taking screenshots. It also hides deep inside system files and can evade detection by antivirus software. 

Experts believe Flame was created not by amateurs but by a powerful nation-state with immense resources (probably the same masterminds behind Stuxnet). 

CosmicStrand UEFI rootkit 

This rootkit takes over the boot process, giving attackers persistent access to your entire device. CosmicStrand embeds itself in UEFI firmware and loads before the OS. This makes it extremely stealthy and neither reinstalling the OS nor wiping the hard drive removes it. 

Multiple high-value targets in Iran, China, and Vietnam have been targeted for espionage using this firmware-level rootkit. 

FiveSysDriver-Signed rootkit 

What happens when attackers steal a trusted certificate and use it to sneak past Windows security? FiveSys is the answer. Found lurking in gaming cheat tools targeting users in China, this rootkit exploited stolen credentials to install a man-in-the-middle proxy, stealing data and exporting it to attackers.  

FiveSysDriver had a built-in list of 300 randomly generated domains to prevent takedown attempts.  

Necurs rootkit 

Necurs was a massive botnet composed of millions of infected computers worldwide, which ran for nearly eight (8) years. It was powered by both a user-mode and kernel-mode rootkit, which allowed it to persist beyond system reboots. 

At its height, Necurs was notorious for distributing banking trojans, ransomware, and spam emails promoting pump-and-dump investment scams. 

RESURGE 

In March 2025, CISA sent out alerts about state-sponsored hacking groups (specifically UNC 5337 and Silk Typhoon). Both were caught deploying the RESURGE malware, replete with rootkit and backdoor capabilities. RESURGE is part of the SPAWNCHIMERA malware ecosystem and is designed for espionage. It poses national security risks due to its targeting of Ivanti Connect Secure devices, which are often used in critical infrastructure and government networks. 

FudModule rootkit 

The infamous Lazarus Group previously used a Zero Day in Windows networking drivers to unleash FudModule, a rootkit designed to disable security software like Microsoft Defender and CrowdStrike Falcon.  

In 2024, FudModule v3.0 represented a significant evolution in the malware’s capabilities. This version shifts from disarming security software to disabling crash dumps to protect its payload from detection and forensic analysis. 

Now that you know how rootkits work, the next question is obvious: How do you stop rootkits before they cause untold damage?  

Here's the cold reality: Rootkit are stealthy, dangerous, and notoriously hard to remove once they’ve settled in. Your best bet? Prevention.  

Related articles 

• How to Defend Yourself Against Computer Viruses

• What Is Malware?

• Understanding Trojan Viruses and How to Protect Your Devices

How to prevent rootkit attacks 

Protecting your digital life requires smart habits and strong defenses that make it impossible for rootkits to slip in unnoticed.  

Here’s how you can protect your system and keep rootkits at bay: 

• Keep everything updated: Rootkits exploit outdated software, drivers, and firmware with known vulnerabilities. You’ll want to keep your OS, antivirus software, applications, firmware updated.  

• Use strong MFA: Implement CISA-recommended FIDO2 MFA like passkeys or hardware security keys to prevent attackers from gaining the initial access they need to install rootkits and make lateral movements. 

• Implement strong authorization controls: Apply the principle of least privilege by giving users only the access they need. This restricts how far a rootkit can spread in your system. 

• Deploy advanced security tools: Use a Secure by Design password manager to create and encrypt login credentials. You’ll also want to move past traditional antivirus solutions to ones that offer rootkit-specific detection and continuous monitoring. 

• Secure the boot process: Rootkits often target the startup stage. Using modern boot security like UEFI with Secure Boot helps ensure your system only loads trusted software when it starts, blocking rootkits that try to sneak it at boot time. 

• Be careful with downloads and attachments: Most rootkits enter a system through malicious downloads, phishing emails, or infected USB drives. Only download files and software from verified, trusted sources, and be wary of links from unknown senders. 

• Regularly back up your data: In case prevention fails, and a rootkit infection happens, having offline backups ensure you can restore your system without rootkits maintaining a foothold. 

Now that you know how to prevent rootkits from sneaking past your defenses, here’s the good news: LastPass can be your first line ally in stopping rootkits even before they negatively impact your life. 

With LastPass, you get: 

• World class encryption and hardened security infrastructure

Your vault data is protected with AES-256 encryption and 600,000 rounds of PBKDF2-SHA-256 hashing plus salting.  

And our hardened infrastructure means best-in-breed cloud-native security controls and continuous monitoring. The entire system is relentlessly guarded and constantly updated to block attackers.  

What this means for you: Your data is shielded in a secure digital fortress, built to protect you from data leaks and prioritize your security.  

• Continuous threat monitoring

Our continuous monitoring system picks up on threats you can’t see, so you don’t get blindsided by operational failures. And you can see how it works: The LastPass Compliance Center gives you complete visibility into how LastPass monitors its systems. 

What this means for you: You gain peace of mind knowing that any attempt to probe or attack your vault is caught rapidly. No surprises or hidden threats lingering unnoticed. 

Secure vault with encrypted URLs

Imagine every link you click and every website you visit protected with military-grade encryption. Your LastPass vault doesn’t just store your most sensitive info, it securely encrypts URLs, too.  

What this means for you: Your online activities stay private and protected. With URL encryption, attackers can’t tell which of your login credentials belong to your email, banking, or social media accounts (even if they somehow manage to access your vault). 

Convenient and secure access controls

With LastPass, you get powerful access controls like SSO, FIDO2 MFA, and federated logins. These controls keep intruders out of your life (at home or work), without slowing you down or complicating your day. 

What this means for you: With options like passkeys and hardware security keys, you get frictionless logins whenever you need it. And that’s not all: You also get a layered defense against unauthorized access, if your system is compromised.  

Transparent and effective threat response

If a security event occurs, you won’t be in the dark. With our threat response process, you can communicate directly with our security team – real experts who walk you through what happened, what’s being done, and what it means for your data.  

What this means for you: You stay in the loop from the very first sign of trouble. So, you get clarity instead of confusion and facts instead of speculation. With LastPass, we work hard to maintain trust every step of the way, because you deserve nothing less. 

If you’re ready to enjoy greater peace of mind, get your free trial of LastPass today. 

Type of account	Who it’s for	Free trial?
Premium	For personal use across devices	Yes, access it here
Families	For parents, kids, roommates, friends, and whoever else you call family (6 Premium accounts)	Yes, access it here
Teams	For your small business or startup	Yes, access it here
Business	For small or medium-sized businesses	Yes, access it here
Business Max	Advanced protection and secure access for any business	Yes, access it here

 

Last Pass is a great password manager tool for a busy IT department or any department as a matter of fact. Have passwords all over the place? Have passwords on an unsecure spread sheet? Look no further. The nice part about Last Pass is it keeps track and updates the passwords as you go. I could not do my job without it. We also use secure notes and credit card storage for our corporate credit cards (Jennifer G, verified G2 user).

FAQs 

How do you know if you have a rootkit virus? 

The most common signs of a rootkit virus are: 

• Frequent crashes or Blue Screens of Death 

• Unexplained changes in Windows settings 

• Lagging device performance 

• Web pages not loading 

• Unusual browser behavior 

• Antivirus or antimalware disabled without any action on your part 

How does a rootkit hide itself? 

Rootkits hide themselves by embedding in your system. Some lurk in the operating system (OS) kernel or load before the OS (with the bootloader). 

Meanwhile, others hide in your RAM and disappear when you reboot. 

The most challenging to detect are BIOS rootkits that infect your device’s firmware. 

This kind of rootkit is extremely difficult to remove because it can persist even after wiping your hard drive or reinstalling your OS. 

Does resetting a PC remove a rootkit? 

A basic reset of your OS may remove many common types of malware but not necessarily rootkits. 

For example, if the rootkit is embedded in the BIOS or firmware (the software that runs before the OS starts), resetting won’t remove it. 

For full removal, consider a clean OS reinstall from external clean media and the use of dedicated rootkit removal tools like Malwarebytes, Avast One, or Sophos Rootkit and Bootkit Detection & Removal. 

Can Windows Defender remove rootkits? 

Windows Defender Offline can detect and remove some types of rootkits.  

But rootkits residing in firmware may require more robust measures, such as flashing your BIOS with a cryptographically signed image from your motherboard manufacturer. In extreme cases, you may need to replace the motherboard entirely.  

Ultimately, it’s worth noting that firmware infections are highly sophisticated. Consulting a security or repair professional may be the safest approach if you’re unsure about your options. 

Does flashing the BIOS remove a rootkit? 

The answer is, sometimes. 

If your device was infected by a firmware rootkit, re-flashing all BIOS firmware using firmware cryptographically signed by the motherboard manufacturer can help. 

However, success isn’t 100% guaranteed. 

Here's why: If other parts of the firmware beyond the BIOS were compromised, a BIOS reflash may not remove all infection vectors. In such a scenario, a complete replacement of the hardware (such as the BIOS chip or even entire motherboard) may be necessary. 

Always consult a professional if you’re unsure of the way forward.