New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned
Cybersecurity NewsArchived May 21, 2026✓ Full text saved
A novel evasion technique called GhostTree, which exploits NTFS junctions to create recursive directory loops. Uncovered by Varonis Threat Labs, this method traps Endpoint Detection and Response (EDR) scanners in infinite paths, causing them to hang and ignore malicious payloads. NTFS junctions function as advanced shortcuts that redirect applications from one directory to another seamlessly. […] The post New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned
By Guru Baran
May 21, 2026
A novel evasion technique called GhostTree, which exploits NTFS junctions to create recursive directory loops.
Uncovered by Varonis Threat Labs, this method traps Endpoint Detection and Response (EDR) scanners in infinite paths, causing them to hang and ignore malicious payloads.
NTFS junctions function as advanced shortcuts that redirect applications from one directory to another seamlessly.
Threat actors favor this feature because creating a junction requires only standard write permissions rather than administrative privileges.
Attackers simply execute the mklink /J command in the Windows terminal to link a new path to a target directory.
GhostTree Attack on EDR
While the NTFS file system natively supports extended paths, legacy software heavily restricts practical path depth across the operating system.
Classic Windows architectures enforce a strict maximum path length of 260 characters, which ultimately caps how deep recursive directory loops can extend.
The foundational GhostBranch attack involves an adversary creating a junction that points a child directory directly back to its parent.
This misconfiguration builds a logical loop where the child folder endlessly replicates the parent’s contents, including itself. Attackers using single-letter folder names can nest directories to a maximum depth of approximately 126 levels.
GhostTree exponentially amplifies this threat by linking multiple child directories back to the same parent folder.
This dual-node configuration generates approximately
2
126
2126 distinct file paths, presenting an astronomical number of routes to a single executable. The resulting directory structure resembles a complex binary tree that branches recursively until hitting operating system limits.
EDR Scanning Failures
When security products attempt to recursively scan these manipulated directories, they continuously traverse the infinitely generating paths.
The scanning engine becomes entirely consumed by the directory loop and ultimately hangs without completing its task. Any actual malware placed alongside the junction remains unscanned and completely undetected by the endpoint agent.
The operational elements of these evasion techniques highlight their simplicity and severe impact on file system analysis. Defenders can use the comparison below to understand the exponential scaling differences between the two attack variants.
Varonis researchers successfully validated this evasion technique by testing it directly against Windows Defender.
Microsoft initially closed the bug report without action, stating that bypassing an antivirus engine does not qualify as crossing a defined security boundary.
Despite this initial stance, Microsoft eventually deployed a patch to resolve the underlying recursive scanning vulnerability.
Because native endpoint scanners can be subverted by logical file loops, organizations must implement defense-in-depth strategies.
Security operations centers should monitor file access events at the data layer to identify the anomalous creation of junctions.
Detecting recursive directory structures that deviate from normal operational patterns is critical for identifying GhostTree activity before execution.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor
New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released
Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks
Critical Apache Flink Vulnerability Enables Remote code execution Attacks
macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence
Latest News
Cyber Security News
WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files
Cyber Security
Two U.S. Executives Plead Guilty in India-Based Tech-Support Fraud Schemes
Cyber Security
Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code
Cyber Security News
Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections
Cyber Security News
Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks