GhostTree Attack Uses Recursive Windows Junctions to Hide Malware from EDR

A newly disclosed technique dubbed GhostTree exploits a little-known feature of the Windows NTFS file system to conceal malware from security scanners. By creating recursive directory junctions—where a folder symbolically links back to its own parent—attackers can generate effectively infinite file paths that cause endpoint detection and response (EDR) products and other recursive scanners to loop indefinitely. The result is that malicious files sitting in the same directory go completely unexamined. The technique was discovered by Varonis researchers, who detailed two variants: the simpler GhostBranch and the more complex GhostTree recursion method, both of which abuse NTFS reparse points first documented alongside legacy Windows subsystems.

NTFS junctions and symbolic links are legitimate reparse points that redirect one directory to another, commonly used for backward compatibility and storage management. They can be created with a single command—`mklink /J C:\LinkToFolder C:\TargetFolder`—and require only standard write access to the target folder, with no admin privileges needed. This dramatically broadens the attack surface. Windows enforces a default 260-character maximum path length (extendable to 32,767 via a registry key, though most applications stop handling paths beyond 260), which caps the depth of recursive loops but still produces enough unique paths to exhaust any scanner blindly following them. The GhostTree disclosure highlights a class of abuse in which entirely native, undocumented-by-design behavior becomes a hiding place for payloads.

For security teams, the operational impact is significant. Traditional file integrity monitoring and signature-based EDR tools that perform recursive directory walks may silently skip folders containing GhostTree structures, creating persistent blind spots on endpoints. Defenders should audit junction points on critical systems, alert on anomalous reparse point creation, and confirm that their security stack handles path recursion limits gracefully rather than timing out silently. Running a broader privacy checkup across endpoint configurations can surface related misconfigurations that attackers may chain with GhostTree, and pairing host-level monitoring with a port scanner plus network telemetry helps ensure that hidden payloads still surface through outbound C2 traffic analysis. Organizations should also review which file system behaviors their EDR explicitly documents handling, and consider adding reparse point creation to alerting baselines—especially on servers, build hosts, and developer workstations where junction-heavy workflows already exist and may mask new abuse.