Trojan:Win32/Rovnix is a highly sophisticated bootkit and trojan downloader designed to infect the Master Boot Record (MBR) or Volume Boot Record (VBR) to achieve deep, undetectable persistence.
What is Rovnix?
For general users, Rovnix is invisible. For incident responders and forensic analysts, Rovnix represents one of the most difficult classes of malware to eradicate. By infecting the boot sector, Rovnix executes before the Windows operating system even loads. This allows it to patch the Windows kernel in memory, subvert all local security software, and load its malicious drivers completely undetected by standard anti-virus scanners.
Infection Vectors & Threat Hunting
Rovnix is typically distributed by other malware downloaders, exploit kits, or spearphishing campaigns. Upon execution, the installer drops a malicious driver (often highly obfuscated) that overwrites the VBR. Upon the next reboot, the bootkit loads into memory, hooks the INT 13h disk interrupt, and intercepts the OS loading process. Threat hunters cannot rely on file-level scanning to find Rovnix. Instead, they must hunt for anomalous outbound network connections to DGA domains (used to download secondary payloads like Carberp) or use specialized forensic tools to analyze the raw disk sectors.
Forensic Analysis & Impact
The primary impact of Rovnix is its ability to securely download and execute arbitrary secondary payloads while remaining completely hidden. Because it operates at Ring 0 (kernel level), it can intercept file system requests to hide its own components. Incident responders must perform offline forensic imaging (booting from a clean USB) to safely analyze the compromised MBR/VBR and extract the malicious driver payload for reverse engineering.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_ROVNIX {
meta:
description = "Detects Rovnix (bootkit)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "rovnix" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Rovnix Activity
id: 07fb94dc4ebedca867aec3d4cc94be22
status: experimental
description: Detects generic indicators of the rovnix malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*rovnix*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/rovnix.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.