Skip to content

T1014 Rootkit

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. 3

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or System Firmware. 4 Rootkits have been seen for Windows, Linux, and Mac OS X systems. 1 2

Rootkits that reside or modify boot sectors are known as Bootkits and specifically target the boot process of the operating system.

Item Value
ID T1014
Sub-techniques
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.3
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0007 APT28 APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.3725
G0096 APT41 APT41 deployed rootkits on Linux systems.3332
C0046 ArcaneDoor ArcaneDoor included hooking the processHostScanReply() function on victim Cisco ASA devices.19
S0484 Carberp Carberp has used user mode rootkit techniques to remain hidden on the system.8
S0572 Caterpillar WebShell Caterpillar WebShell has a module to use a rootkit on a system.29
S1105 COATHANGER COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices.15
S0502 Drovorub Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.10
S0377 Ebury Ebury acts as a user land rootkit using the SSH service.76
S0047 Hacking Team UEFI Rootkit Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.16
S0394 HiddenWasp HiddenWasp uses a rootkit to hook and implement functions on the system.17
S0135 HIDEDRV HIDEDRV is a rootkit that hides certain operating system artifacts.11
S0009 Hikit Hikit is a Rootkit that has been used by Axiom.20 21
S0601 Hildegard Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64().18
S0040 HTRAN HTRAN can install a rootkit to hide network connections from the host OS.5
S1186 Line Dancer Line Dancer can hook both the crash dump process and the Autehntication, Authorization, and Accounting (AAA) functions on compromised machines to evade forensic analysis and authentication mechanisms.19
S0397 LoJax LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.25
S1220 MEDUSA MEDUSA is a rootkit with command execution and credential logging capabilities.22
S0012 PoisonIvy PoisonIvy starts a rootkit from a malicious file dropped to disk.30
S0458 Ramsay Ramsay has included a rootkit to evade defenses.9
C0056 RedPenguin During RedPenguin, UNC3886 used rootkits such as REPTILE and MEDUSA.38
S1219 REPTILE REPTILE has the ability to hook kernel functions and modify functions data to achieve rootkit functionality such as hiding processes and network connections.22
G0106 Rocke Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.34
S0468 Skidmap Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.12
S0603 Stuxnet Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.14
G0139 TeamTNT TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.36 35
S0221 Umbreon Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.13
G1048 UNC3886 UNC3886 has used the publicly available rootkits REPTILE and MEDUSA on targeted VMs.22
S0022 Uroburos Uroburos can use its kernel module to prevent its host components from being listed by the targeted system’s OS and to mediate requests between user mode and concealed components.2726
S0670 WarzoneRAT WarzoneRAT can include a rootkit to hide processes, files, and startup.28
S0430 Winnti for Linux Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware’s operations and network activity.23
G0044 Winnti Group Winnti Group used a rootkit to modify typical server functionality.31
S0027 Zeroaccess Zeroaccess is a kernel-mode rootkit.24

References

  1. Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. 

  2. Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven’t known yet. Retrieved December 21, 2017. 

  3. Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017. 

  4. Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. 

  5. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  6. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024. 

  7. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. 

  8. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. 

  9. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  10. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  11. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. 

  12. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  13. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018. 

  14. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  15. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024. 

  16. Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015. 

  17. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  18. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  19. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025. 

  20. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved November 17, 2024. 

  21. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved November 17, 2024. 

  22. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  23. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  24. Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016. 

  25. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. 

  26. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  27. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  28. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  29. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  30. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  31. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  32. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  33. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  34. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  35. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  36. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. 

  37. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. 

  38. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.