A common rootkit feature is hiding or obscuring network traffic that relates to the attacker.
For example, the rootkit may install hooks that make active connections not show up when a systems administrator or incident responder runs the netstat command on an infected host.