Which rootkit replaces the original system calls with fake ones to hide information about the attacker?

Intercepting and replacing library functions to hide attacker activity. Library-level rootkits work by inserting malicious libraries or using techniques like LD_PRELOAD to override standard user-space functions. By swapping out or wrapping calls such as those that list files, read process tables, or query system information, they return fake or filtered results. This lets the attacker’s presence and artifacts be hidden from typical monitoring and from programs that rely on these library routines, all without modifying the kernel itself. Other rootkit categories operate at different layers—kernel-level rootkits patch the kernel, boot loader rootkits alter the boot process, and hypervisor-level rootkits live at the virtualization layer—so the described approach corresponds to the library-level variant.