CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A novel evasion technique called GhostTree, which exploits NTFS junctions to create recursive directory loops. Uncovered by Varonis Threat Labs, this method traps Endpoint Detection and Response (EDR) scanners in infinite paths, causing them to hang and ignore malicious payloads. NTFS junctions function as advanced shortcuts that redirect applications from one directory to another seamlessly. […] The post New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned By Guru Baran May 21, 2026 A novel evasion technique called GhostTree, which exploits NTFS junctions to create recursive directory loops. Uncovered by Varonis Threat Labs, this method traps Endpoint Detection and Response (EDR) scanners in infinite paths, causing them to hang and ignore malicious payloads. NTFS junctions function as advanced shortcuts that redirect applications from one directory to another seamlessly. Threat actors favor this feature because creating a junction requires only standard write permissions rather than administrative privileges. Attackers simply execute the mklink /J command in the Windows terminal to link a new path to a target directory. GhostTree Attack on EDR While the NTFS file system natively supports extended paths, legacy software heavily restricts practical path depth across the operating system. Classic Windows architectures enforce a strict maximum path length of 260 characters, which ultimately caps how deep recursive directory loops can extend. The foundational GhostBranch attack involves an adversary creating a junction that points a child directory directly back to its parent. This misconfiguration builds a logical loop where the child folder endlessly replicates the parent’s contents, including itself. Attackers using single-letter folder names can nest directories to a maximum depth of approximately 126 levels. GhostTree exponentially amplifies this threat by linking multiple child directories back to the same parent folder. This dual-node configuration generates approximately 2 126 2126 distinct file paths, presenting an astronomical number of routes to a single executable. The resulting directory structure resembles a complex binary tree that branches recursively until hitting operating system limits. EDR Scanning Failures When security products attempt to recursively scan these manipulated directories, they continuously traverse the infinitely generating paths. The scanning engine becomes entirely consumed by the directory loop and ultimately hangs without completing its task. Any actual malware placed alongside the junction remains unscanned and completely undetected by the endpoint agent. The operational elements of these evasion techniques highlight their simplicity and severe impact on file system analysis. Defenders can use the comparison below to understand the exponential scaling differences between the two attack variants. Varonis researchers successfully validated this evasion technique by testing it directly against Windows Defender. Microsoft initially closed the bug report without action, stating that bypassing an antivirus engine does not qualify as crossing a defined security boundary. Despite this initial stance, Microsoft eventually deployed a patch to resolve the underlying recursive scanning vulnerability. Because native endpoint scanners can be subverted by logical file loops, organizations must implement defense-in-depth strategies. Security operations centers should monitor file access events at the data layer to identify the anomalous creation of junctions. Detecting recursive directory structures that deviate from normal operational patterns is critical for identifying GhostTree activity before execution. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks Critical Apache Flink Vulnerability Enables Remote code execution Attacks macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence Latest News Cyber Security News WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files Cyber Security Two U.S. Executives Plead Guilty in India-Based Tech-Support Fraud Schemes Cyber Security Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code Cyber Security News Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections Cyber Security News Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗