S0135: HIDEDRV
Analyst context for executives and security teams
HIDEDRV matters because it is described by ATT&CK as a Windows rootkit used to execute and hide Downdelph malware. For leaders, the key issue is not volume of activity but defensive confidence: rootkits are designed to make normal endpoint views untrustworthy, so incident response may need deeper endpoint, memory, and driver-level validation before deciding a system is clean.
Executive priority
Treat HIDEDRV as a readiness test for high-assurance Windows endpoint response. Security leaders should ask whether the SOC and IR teams can identify suspicious driver/rootkit behavior, validate DLL injection activity, and preserve evidence when endpoint tools may be blinded or manipulated. This supports resilience decisions around managed detection coverage, IR retainers, forensic tooling, privileged endpoint controls, and audit evidence for malware response capability.
Technical view
ATT&CK lists HIDEDRV as Windows malware associated with APT28 and as using Rootkit (T1014) and Dynamic-link Library Injection (T1055.001). Because no official detection guidance is provided, teams should validate coverage around rootkit-style hiding of files, services, drivers, processes, and connections, plus DLL injection into live Windows processes. IR procedures should include cross-checking normal endpoint telemetry against lower-level forensic evidence where feasible, because rootkit behavior can reduce trust in standard OS-reported views.
Likely telemetry
- Windows driver and service load events, including unusual or unsigned kernel driver activity where available
- Endpoint detection telemetry for process injection and suspicious DLL loads
- Process, module, handle, and memory inspection data from EDR or forensic tools
- File system and registry evidence related to drivers, services, and malware components
- Cross-view forensic evidence comparing OS-reported processes/files/connections with raw disk, memory, or trusted collection methods
Detection direction
- Validate that Windows endpoint telemetry includes driver/service creation and load visibility, not only user-mode process events.
- Tune detections for DLL injection patterns while accounting for legitimate software that injects DLLs, such as security, accessibility, or management tools.
- For rootkit-related investigations, avoid relying on a single endpoint data source; compare EDR, native Windows logs, memory analysis, and offline forensic collection where possible.
- Use the relationship context to prioritize sightings that combine rootkit behavior with DLL injection or evidence of hidden malware components, while avoiding attribution claims based on technique use alone.
- Because ATT&CK provides no official detection text for HIDEDRV, document local detection assumptions and test them in a controlled environment before using them as compliance or coverage evidence.
Mitigation priorities
- Prioritize hardening and monitoring of Windows systems where kernel-level or driver-level abuse would create high business impact.
- Enforce least privilege and administrative control over who can install drivers, services, and endpoint software.
- Maintain trusted endpoint protection, logging, and forensic collection capabilities that can support investigation when normal OS views are suspect.
- Prepare IR playbooks for suspected rootkit cases, including isolation, evidence preservation, memory capture where appropriate, and rebuild criteria.
- Use threat intelligence context conservatively: HIDEDRV’s ATT&CK relationship to APT28 helps prioritize review, but local evidence should drive incident classification and response decisions.
Analyst notes and limits
The ATT&CK object is sparse: it identifies HIDEDRV as a Windows rootkit used by APT28, deployed with Downdelph to execute and hide that malware, and maps it to Rootkit and DLL Injection techniques. The business value is in validating whether the organization can detect and investigate stealthy endpoint compromise when standard visibility may be unreliable.
No official ATT&CK detection text, aliases, labels, or HIDEDRV-specific telemetry are supplied. The object does not specify tactics directly. Recommendations are therefore framed from the supplied platform, description, external references, and relationships to T1014 and T1055.001; local environment testing is required to confirm coverage.
HIDEDRV
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1014 | Rootkit | HIDEDRV is a rootkit that hides certain operating system artifacts.CitationESET Sednit Part 3 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 460cc8cfcb09… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Sednit Part 3
ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
Open source URL -
[2]
Sekoia HideDRV Oct 2016
Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved November 17, 2024.
Open source URL -
[3]
mitre-attack S0135Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.