Skip to content


HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware. 1 2

Item Value
ID S0135
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection HIDEDRV injects a DLL for Downdelph into the explorer.exe process.1
enterprise T1014 Rootkit HIDEDRV is a rootkit that hides certain operating system artifacts.1

Groups That Use This Software

ID Name References
G0007 APT28 1


Back to top