GhostTree Attack Abused Recursive Windows Junctions to Hide Malware
GhostTree is a malware evasion technique that abuses recursive NTFS junctions on Windows to create an extremely large number of valid file paths pointing to the same directory. This causes recursive folder scans, including those by Microsoft Defender, to hang indefinitely, leaving malware undetected. The technique requires only user-level write permissions to create junctions that loop back to parent directories, generating a combinatorial explosion of paths. Although Microsoft acknowledged the issue and patched it, the technique highlights limitations in endpoint scanning and the need for monitoring anomalous file system activity.
AI Analysis
Technical Summary
GhostTree leverages recursive NTFS junctions to create a vast number of valid Windows file paths by pointing directory junctions back to their parent directories, forming loops. This results in an exponential number of unique paths (approximately 2^126) due to branching junctions, which can cause recursive folder scans by tools like Microsoft Defender to never complete. The technique requires no administrative privileges, only write access to the target folder, and exploits the Windows maximum path length limitation to maximize path diversity. This evasion method allows malware placed in the parent directory to remain unscanned and undetected. Microsoft was informed of the issue and issued a patch, though initially stating that bypassing Defender scans does not cross a security boundary. The technique underscores the importance of layered defense beyond endpoint scanning, such as monitoring file system activity for anomalous junction creation and recursive structures.
Potential Impact
Malware using GhostTree can evade detection by causing recursive folder scans to hang indefinitely, preventing antivirus and endpoint detection and response (EDR) tools from examining malicious files in affected directories. This results in undetected malware persistence on Windows systems. The technique requires only user-level permissions, making it accessible to attackers without elevated privileges. Although Microsoft patched the issue, systems without the patch remain vulnerable to scan evasion. The technique does not directly compromise system security boundaries but undermines malware detection capabilities.
Mitigation Recommendations
Microsoft has patched the issue after being notified, so applying the official update resolves the vulnerability. Organizations should ensure Windows Defender and related security products are fully updated. Since the technique exploits legitimate NTFS junction features, monitoring file system activity for anomalous recursive junction creation and unusual directory structures is recommended as a complementary detection method. Endpoint scanning alone is insufficient to detect malware hidden via GhostTree. No additional immediate actions are required if patches are applied.
GhostTree Attack Abused Recursive Windows Junctions to Hide Malware
Description
GhostTree is a malware evasion technique that abuses recursive NTFS junctions on Windows to create an extremely large number of valid file paths pointing to the same directory. This causes recursive folder scans, including those by Microsoft Defender, to hang indefinitely, leaving malware undetected. The technique requires only user-level write permissions to create junctions that loop back to parent directories, generating a combinatorial explosion of paths. Although Microsoft acknowledged the issue and patched it, the technique highlights limitations in endpoint scanning and the need for monitoring anomalous file system activity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GhostTree leverages recursive NTFS junctions to create a vast number of valid Windows file paths by pointing directory junctions back to their parent directories, forming loops. This results in an exponential number of unique paths (approximately 2^126) due to branching junctions, which can cause recursive folder scans by tools like Microsoft Defender to never complete. The technique requires no administrative privileges, only write access to the target folder, and exploits the Windows maximum path length limitation to maximize path diversity. This evasion method allows malware placed in the parent directory to remain unscanned and undetected. Microsoft was informed of the issue and issued a patch, though initially stating that bypassing Defender scans does not cross a security boundary. The technique underscores the importance of layered defense beyond endpoint scanning, such as monitoring file system activity for anomalous junction creation and recursive structures.
Potential Impact
Malware using GhostTree can evade detection by causing recursive folder scans to hang indefinitely, preventing antivirus and endpoint detection and response (EDR) tools from examining malicious files in affected directories. This results in undetected malware persistence on Windows systems. The technique requires only user-level permissions, making it accessible to attackers without elevated privileges. Although Microsoft patched the issue, systems without the patch remain vulnerable to scan evasion. The technique does not directly compromise system security boundaries but undermines malware detection capabilities.
Mitigation Recommendations
Microsoft has patched the issue after being notified, so applying the official update resolves the vulnerability. Organizations should ensure Windows Defender and related security products are fully updated. Since the technique exploits legitimate NTFS junction features, monitoring file system activity for anomalous recursive junction creation and unusual directory structures is recommended as a complementary detection method. Endpoint scanning alone is insufficient to detect malware hidden via GhostTree. No additional immediate actions are required if patches are applied.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/ghosttree-attack-abused-recursive-windows-junctions-to-hide-malware/","fetched":true,"fetchedAt":"2026-06-16T14:30:21.015Z","wordCount":1138}
Threat ID: 6a315dfd0b89be6888c2ffba
Added to database: 6/16/2026, 2:30:21 PM
Last enriched: 6/16/2026, 2:30:27 PM
Last updated: 6/17/2026, 4:02:07 AM
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.