---
title: "Rootkit — AP Cybersecurity Definition & Exam Guide"
description: "A rootkit is malware that gives an adversary deep, hidden control of a device and conceals itself from antivirus. Learn how it's tested in AP Cybersecurity Unit 4."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/rootkit"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 4"
---

# Rootkit — AP Cybersecurity Definition & Exam Guide

## Definition

A rootkit is a type of malware that gives an adversary deep, privileged control over a device's operating system while actively hiding its presence from users and anti-malware tools, letting the attacker monitor traffic, modify files, and issue commands undetected.

## What It Is

A rootkit is [malware](/ap-cybersecurity/key-terms/malware "fv-autolink") built for two jobs: get deep [control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") of a system, then stay invisible. The name comes from "root," the highest privilege level on a system, so a rootkit operates at that top tier where it can do almost anything. Once installed, it lets an adversary monitor network traffic, modify files, turn services on or off, and run their own commands (EK 4.1.B, EK 4.1.C.1).

What sets a rootkit apart from other malware is concealment. It actively hides itself, and often hides other malware, from the user and from antivirus software. That means a device can be fully compromised while looking perfectly normal. The deeper a rootkit embeds (some target the [operating system](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink"), others reach down toward firmware like the BIOS or UEFI), the harder it is to detect and remove. This is exactly the kind of risk the CED describes: an adversary who can remotely control a device, impersonate an authorized user, or destroy data (EK 4.1.D.1).

## Why It Matters

Rootkits live in [Unit 4](/ap-cybersecurity/unit-4 "fv-autolink"): Securing Devices, specifically Topic 4.1 Device Vulnerabilities and Attacks. They support EK 4.1.B.2, where you identify the type of malware used in an attack, and EK 4.1.C.1, where adversaries exploit [vulnerabilities](/ap-cybersecurity/key-terms/vulnerability "fv-autolink") to take control of a device and issue their own commands. The big idea a rootkit illustrates is the gap between "compromised" and "detectable." A device can be totally owned by an attacker while antivirus reports nothing wrong, which is why rootkits map directly onto risk assessment in EK 4.1.D, where you weigh how much damage hidden, privileged access can cause to critical systems and sensitive data.

## Connections

### RAT and Command and Control (Unit 4)

A rootkit and a [remote access trojan](/ap-cybersecurity/key-terms/remote-access-trojan "fv-autolink") often work as a team. The RAT gives the attacker a remote door into the device, and the rootkit hides that door (and the traffic going back to the C2 server) so nobody notices the device is being controlled from outside.

### [Anti-malware (Unit 4)](/ap-cybersecurity/key-terms/anti-malware)

Rootkits are basically [anti-malware](/ap-cybersecurity/key-terms/anti-malware "fv-autolink")'s worst nightmare. They're designed specifically to fool antivirus by hiding their files and processes, so a clean scan doesn't always mean a clean device. That's why detecting rootkits often needs deeper tools than a normal signature scan.

### BIOS and UEFI firmware (Unit 4)

The scariest rootkits burrow below the operating system into firmware like the [BIOS](/ap-cybersecurity/key-terms/bios "fv-autolink") or UEFI. At that level they can survive a full OS reinstall, because wiping the hard drive doesn't touch the chip the rootkit hides in.

### [Fileless malware (Unit 4)](/ap-cybersecurity/key-terms/fileless-malware)

Both rootkits and fileless malware are about staying hidden, but they hide differently. A rootkit conceals files and processes that exist; fileless malware avoids writing files to disk at all and lives in RAM, so antivirus has nothing on the drive to find.

## On the AP Exam

Expect rootkits in multiple-choice "which type of malware" questions, where the stem hands you the giveaway clues. If an attacker has gained deep control over the operating system and can monitor network traffic, modify files, and hide their presence from antivirus, that's a rootkit. The two signal phrases to lock onto are deep/privileged control plus hiding from detection. Your job is to match the behavior described to the correct malware type, so don't confuse it with malware that just steals one thing (keylogger) or just spreads (worm). No released FRQ uses "rootkit" verbatim, but it fits free-response prompts that ask you to assess risk from device vulnerabilities or recommend defenses, since a rootkit is a prime example of high-impact, hard-to-detect compromise (EK 4.1.D).

## rootkit vs fileless malware

Both are stealthy, which is why they get mixed up, but the trick they use is different. A rootkit gets deep, privileged (root-level) control and actively hides its files and processes from antivirus. Fileless malware hides by not leaving files on the hard drive at all, running in RAM and abusing legitimate system utilities. On the exam, "hides its presence and controls the OS" points to rootkit; "no files on the drive, runs in memory" points to fileless.

## Key Takeaways

- A rootkit is malware that gives an adversary deep, root-level control of a device while hiding its presence from users and antivirus.
- The two exam giveaways for a rootkit are privileged control over the operating system and active concealment from anti-malware.
- Rootkits often hide other malware too, like a RAT or its command and control traffic, so the device looks clean while it's fully owned.
- Firmware-level rootkits (BIOS or UEFI) can survive an operating system reinstall, making them extremely hard to remove.
- Rootkits illustrate high risk in EK 4.1.D because a device can be completely compromised while appearing totally normal.

## FAQs

### What is a rootkit in AP Cybersecurity?

A rootkit is a type of malware that gives an attacker deep, privileged control of a device and hides itself from the user and from antivirus software. It shows up in Unit 4, Topic 4.1, when you identify malware types and assess device vulnerability risk.

### Does antivirus always detect a rootkit?

No. Rootkits are specifically designed to hide their files and processes from anti-malware, so a normal scan can come back clean even on a fully compromised device. Deeper detection tools or behavioral analysis are often needed.

### How is a rootkit different from fileless malware?

A rootkit hides by getting root-level control and concealing its files and processes, while fileless malware hides by running in RAM and leaving no files on the hard drive. On a multiple-choice question, "hides presence and controls the OS" means rootkit; "no files, runs in memory" means fileless malware.

### Is a rootkit the same as a RAT?

No, but they often work together. A RAT (remote access trojan) gives the attacker remote control of the device, and a rootkit hides that activity, including the connection back to the command and control server, so the intrusion stays undetected.

### Why is a firmware rootkit so dangerous?

A rootkit that embeds in firmware like the BIOS or UEFI lives below the operating system, so reinstalling the OS or wiping the drive won't remove it. That persistence is what makes it a high-risk threat under EK 4.1.D.

## Related Study Guides

- [4.1 Device Vulnerabilities and Attacks](/ap-cybersecurity/unit-4/device-vulnerabilities-and-attacks/study-guide/HACz1L7MBGLXO5AANWlK)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/rootkit#resource","name":"Rootkit — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/rootkit","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/rootkit#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:31.495Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/rootkit#term","name":"rootkit","description":"A rootkit is a type of malware that gives an adversary deep, privileged control over a device's operating system while actively hiding its presence from users and anti-malware tools, letting the attacker monitor traffic, modify files, and issue commands undetected.","url":"https://fiveable.me/ap-cybersecurity/key-terms/rootkit","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.D"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a rootkit in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"A rootkit is a type of malware that gives an attacker deep, privileged control of a device and hides itself from the user and from antivirus software. It shows up in Unit 4, Topic 4.1, when you identify malware types and assess device vulnerability risk."}},{"@type":"Question","name":"Does antivirus always detect a rootkit?","acceptedAnswer":{"@type":"Answer","text":"No. Rootkits are specifically designed to hide their files and processes from anti-malware, so a normal scan can come back clean even on a fully compromised device. Deeper detection tools or behavioral analysis are often needed."}},{"@type":"Question","name":"How is a rootkit different from fileless malware?","acceptedAnswer":{"@type":"Answer","text":"A rootkit hides by getting root-level control and concealing its files and processes, while fileless malware hides by running in RAM and leaving no files on the hard drive. On a multiple-choice question, \"hides presence and controls the OS\" means rootkit; \"no files, runs in memory\" means fileless malware."}},{"@type":"Question","name":"Is a rootkit the same as a RAT?","acceptedAnswer":{"@type":"Answer","text":"No, but they often work together. A RAT (remote access trojan) gives the attacker remote control of the device, and a rootkit hides that activity, including the connection back to the command and control server, so the intrusion stays undetected."}},{"@type":"Question","name":"Why is a firmware rootkit so dangerous?","acceptedAnswer":{"@type":"Answer","text":"A rootkit that embeds in firmware like the BIOS or UEFI lives below the operating system, so reinstalling the OS or wiping the drive won't remove it. That persistence is what makes it a high-risk threat under EK 4.1.D."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 4","item":"https://fiveable.me/ap-cybersecurity/unit-4"},{"@type":"ListItem","position":4,"name":"rootkit"}]}]}
```
