A tester suspects a rootkit hidden in a device driver; which type of rootkit is most likely involved?

Hiding inside a device driver means the rootkit is operating at the highest privilege level of the operating system, in kernel space. Device drivers run in the kernel, so a rootkit embedded there can intercept kernel functions, manipulate core data structures, and conceal its presence from security tools that operate in user space. This is the defining trait of a kernel-level rootkit: it lives inside the kernel to control and hide at the most privileged layer. A user-mode rootkit would reside in user space and lacks the access needed to reliably manipulate kernel internals or hide across system calls. A bootkit targets the very early boot process, often altering the bootloader or pre-OS stages, not a driver loaded after the OS starts. A firmware rootkit resides in hardware firmware (like BIOS/UEFI or device firmware) rather than in the kernel of the operating system. Given the rootkit is said to be hidden in a device driver, the kernel-level option fits best.