⚠️ Overview

r77 is an open-source, ring-3 user‑mode rootkit first publicly released on GitHub in 2016 under the alias "bytecode77". It is not a standalone malware family but a stealth tool designed to hide processes, files, registry keys, and network connections from security software, often classified as a rootkit (MITRE ATT&CK technique T1014). The original developer has since taken the repository private, but the source code continues to circulate and is reused by various threat actors for persistence and evasion.

🔧 Technical Capabilities

r77 operates entirely in user‑mode, avoiding kernel drivers by hooking native API functions via inline hooking and direct system call redirection. It uses reflective DLL injection to load its payload into target processes without touching disk, combined with APC injection for stealthy execution. Persistence is achieved through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks. Evasion relies on unhooking security product DLLs and hooking NtQuerySystemInformation to hide malicious processes from tools like Task Manager and Process Explorer. It also hides files by prefixing them with a configurable marker (default: "r77") and hides registry keys under HKLMSYSTEMCurrentControlSetServices by hooking registry enumeration APIs. The rootkit communicates with its controller via named pipes or shared memory sections, with no fixed C2 infrastructure—it is often used as a component in larger malware frameworks.

📜 History & Notable Incidents

r77 gained attention after its release on Russian‑language forums in 2016 and was later analyzed by security vendors such as Trend Micro and CrowdStrike. No specific high‑profile cyberattacks have been directly attributed to r77 alone; instead, it has been incorporated into commodity trojans and backdoors (e.g., njRAT modifications) to enhance stealth. No CVEs are associated with r77 itself, as it exploits no unpatched vulnerabilities but rather abuses legitimate Windows APIs through hooking. Law enforcement actions have not specifically targeted r77 developers due to its open‑source nature.

🔍 Detection Indicators

File hashes vary widely because r77 is frequently recompiled, but common filenames include r77.exe, r77.dll, and hide.dll. Behavioral signatures include unexpected hooking of ntdll.dll functions (e.g., NtQuerySystemInformation, NtOpenKey) and the presence of the marker string "r77" as a file prefix. Network IOCs are rare; however, the rootkit creates a named pipe named \.pipe 77_hide or similar. Registry indicators include a hidden key under HKLMSYSTEMCurrentControlSetServices 77 that is invisible to standard registry editors.

☠️ Risk & Impact

r77 itself does not cause direct data exfiltration or financial loss, but by enabling malware to evade detection, it increases the dwell time and impact of secondary payloads (e.g., ransomware, info‑stealers). It has been observed in targeted attacks against financial institutions and technology firms, primarily to maintain covert persistence. According to a 2021 Trend Micro report, r77‑equipped trojans were used in credential‑theft campaigns in East Asia, though attribution remains unclear.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) solutions that monitor for API hooking anomalies and use Sysmon event ID 8 (CreateRemoteThread) for process injection detection. Blocking execution of files with the "r77" prefix via Windows Defender Attack Surface Reduction (ASR) rules and regularly scanning for hidden registry keys or named pipes can reduce risk. No specific patch is applicable, as r77 uses no exploited vulnerability.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.