Skip to content

S0135 HIDEDRV

HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware. 1 2

Item Value
ID S0135
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection HIDEDRV injects a DLL for Downdelph into the explorer.exe process.1
enterprise T1014 Rootkit HIDEDRV is a rootkit that hides certain operating system artifacts.1

Groups That Use This Software

ID Name References
G0007 APT28 1

References

  1. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. 

  2. Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved March 9, 2017.