Skip to main content


Home Memory rootkit

Memory rootkit

Memory rootkit definition

Memory rootkit refers to a type of malicious software that operates at the kernel or system level of a computer's memory, allowing it to hide and persistently control the compromised system. Unlike traditional rootkits that primarily target the file system, memory rootkits manipulate the operating system's memory space, making them highly stealthy and difficult to detect.

A memory rootkit can intercept and modify system calls, manipulate data structures, and hide malicious activities, so attackers often use them for long-term access and control over compromised systems.

See also: root access, malicious code, bios rootkit

How does a memory rootkit work

  • Injection. By exploiting vulnerabilities in the system, hackers inject its code into a running process or by loading a malicious driver into the kernel.
  • Concealment. It uses various techniques to hide its presence and activities such as virtual memory, kernel module, and driver manipulation.
  • Persistence. To maintain their presence on the compromised system across reboots and system updates, they modify critical boot processes, such as the Master Boot Record (MBR), the BIOS, or other system components.
  • Privilege escalation. They often attempt to escalate their privileges to gain higher levels of access within the system and better control the execution of malicious actions.
  • Remote control. They are known for establishing command-and-control (C&C) infrastructure to communicate with external entities, such as the attacker's server.