A rootkit is a type of malware that gives an adversary deep, privileged control over a device's operating system while actively hiding its presence from users and anti-malware tools, letting the attacker monitor traffic, modify files, and issue commands undetected.
A rootkit is malware built for two jobs: get deep control of a system, then stay invisible. The name comes from "root," the highest privilege level on a system, so a rootkit operates at that top tier where it can do almost anything. Once installed, it lets an adversary monitor network traffic, modify files, turn services on or off, and run their own commands (EK 4.1.B, EK 4.1.C.1).
What sets a rootkit apart from other malware is concealment. It actively hides itself, and often hides other malware, from the user and from antivirus software. That means a device can be fully compromised while looking perfectly normal. The deeper a rootkit embeds (some target the operating system, others reach down toward firmware like the BIOS or UEFI), the harder it is to detect and remove. This is exactly the kind of risk the CED describes: an adversary who can remotely control a device, impersonate an authorized user, or destroy data (EK 4.1.D.1).
Rootkits live in Unit 4: Securing Devices, specifically Topic 4.1 Device Vulnerabilities and Attacks. They support EK 4.1.B.2, where you identify the type of malware used in an attack, and EK 4.1.C.1, where adversaries exploit vulnerabilities to take control of a device and issue their own commands. The big idea a rootkit illustrates is the gap between "compromised" and "detectable." A device can be totally owned by an attacker while antivirus reports nothing wrong, which is why rootkits map directly onto risk assessment in EK 4.1.D, where you weigh how much damage hidden, privileged access can cause to critical systems and sensitive data.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryRAT and Command and Control (Unit 4)
A rootkit and a remote access trojan often work as a team. The RAT gives the attacker a remote door into the device, and the rootkit hides that door (and the traffic going back to the C2 server) so nobody notices the device is being controlled from outside.
Anti-malware (Unit 4)
Rootkits are basically anti-malware's worst nightmare. They're designed specifically to fool antivirus by hiding their files and processes, so a clean scan doesn't always mean a clean device. That's why detecting rootkits often needs deeper tools than a normal signature scan.
BIOS and UEFI firmware (Unit 4)
The scariest rootkits burrow below the operating system into firmware like the BIOS or UEFI. At that level they can survive a full OS reinstall, because wiping the hard drive doesn't touch the chip the rootkit hides in.
Fileless malware (Unit 4)
Both rootkits and fileless malware are about staying hidden, but they hide differently. A rootkit conceals files and processes that exist; fileless malware avoids writing files to disk at all and lives in RAM, so antivirus has nothing on the drive to find.
Expect rootkits in multiple-choice "which type of malware" questions, where the stem hands you the giveaway clues. If an attacker has gained deep control over the operating system and can monitor network traffic, modify files, and hide their presence from antivirus, that's a rootkit. The two signal phrases to lock onto are deep/privileged control plus hiding from detection. Your job is to match the behavior described to the correct malware type, so don't confuse it with malware that just steals one thing (keylogger) or just spreads (worm). No released FRQ uses "rootkit" verbatim, but it fits free-response prompts that ask you to assess risk from device vulnerabilities or recommend defenses, since a rootkit is a prime example of high-impact, hard-to-detect compromise (EK 4.1.D).
Both are stealthy, which is why they get mixed up, but the trick they use is different. A rootkit gets deep, privileged (root-level) control and actively hides its files and processes from antivirus. Fileless malware hides by not leaving files on the hard drive at all, running in RAM and abusing legitimate system utilities. On the exam, "hides its presence and controls the OS" points to rootkit; "no files on the drive, runs in memory" points to fileless.
A rootkit is malware that gives an adversary deep, root-level control of a device while hiding its presence from users and antivirus.
The two exam giveaways for a rootkit are privileged control over the operating system and active concealment from anti-malware.
Rootkits often hide other malware too, like a RAT or its command and control traffic, so the device looks clean while it's fully owned.
Firmware-level rootkits (BIOS or UEFI) can survive an operating system reinstall, making them extremely hard to remove.
Rootkits illustrate high risk in EK 4.1.D because a device can be completely compromised while appearing totally normal.
A rootkit is a type of malware that gives an attacker deep, privileged control of a device and hides itself from the user and from antivirus software. It shows up in Unit 4, Topic 4.1, when you identify malware types and assess device vulnerability risk.
No. Rootkits are specifically designed to hide their files and processes from anti-malware, so a normal scan can come back clean even on a fully compromised device. Deeper detection tools or behavioral analysis are often needed.
A rootkit hides by getting root-level control and concealing its files and processes, while fileless malware hides by running in RAM and leaving no files on the hard drive. On a multiple-choice question, "hides presence and controls the OS" means rootkit; "no files, runs in memory" means fileless malware.
No, but they often work together. A RAT (remote access trojan) gives the attacker remote control of the device, and a rootkit hides that activity, including the connection back to the command and control server, so the intrusion stays undetected.
A rootkit that embeds in firmware like the BIOS or UEFI lives below the operating system, so reinstalling the OS or wiping the drive won't remove it. That persistence is what makes it a high-risk threat under EK 4.1.D.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.