Find notable cyber news and cases, enriched with sources, timelines, and signals.

GhostLock CreateFileW share-mode file-locking technique

Technical Analysis
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

GhostLock exposes a file-locking technique that abuses Windows CreateFileW to deny access to files on local systems and SMB shares. Because the method relies on legitimate exclusive opens, it can trigger STATUS_SHARING_VIOLATION errors while avoiding the write-and-encrypt signals many defenses watch for. The result is a disruption-focused tactic that can mask other malicious activity in an environment.

Related Happenings

GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning

Technical Analysis
H score23 First: 16.06.2026 17:17 Last: 16.06.2026 17:17 Sources 1

About this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...

Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)

Vulnerability
H score24 First: 03.06.2026 13:18 Last: 03.06.2026 13:18 Sources 1

About this happening: **Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...

Timeline

  1. 12.05.2026 01:02 2 articles · 1mo ago

    GhostLock proof-of-concept release

    Initial Disclosure

    Kim Dvash of Israel Aerospace Industries released GhostLock, a proof-of-concept tool that uses Windows CreateFileW and dwShareMode = 0 to open files with exclusive access on local disks and SMB network shares, causing STATUS_SHARING_VIOLATION errors for other users and applications. The technique can be run by standard domain users without elevated privileges, is described as disruption-based rather than destructive, and is less visible to tools that focus on mass file writes or encryption; the most reliable observable is a per-session open-file count with ShareAccess = 0 at the file server layer.

    Show sources