Rootkit

A rootkit gains privileged (kernel or firmware) access and then hides itself, the attacker’s processes, files, and network connections from the operating system — which is exactly why the OS’s own tools can’t be trusted to find it. Detection relies on offline scanning from known-good media, memory forensics, and integrity/attestation checks. The worst variants live in UEFI firmware or the boot process and survive OS reinstalls; Secure Boot and measured boot are the primary mitigations.