We host a lot of Windows Server 2012 VM’s and have noticed an increase in some MBR root kits being installed during windows activation and or updates.. We were pretty confused, and still have no idea exactly, it could of been a hacked ISO we got from our supplier, or it could of been whats posted in these articles

https://searchsecurity.techtarget.com/answer/Is-a-Master-Boot-Record-MBR-rootkit-completely-invisible-to-the-OS

https://www.csoonline.com/article/3222066/how-to-detect-and-remove-a-rootkit-in-windows-10.html