Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning

Technical Analysis
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

GhostTree and GhostBranch use recursive NTFS junction loops to generate effectively unlimited paths, allowing files in the same folder to evade EDR and Windows Defender recursive scans.

Related Happenings

Fake AI study guide AsyncRAT lure campaign targeting Windows users

Campaign
H score33 First: 11.06.2026 17:00 Last: 11.06.2026 17:00 Sources 1

About this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...

Open Happening

Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure

Campaign
H score56 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...

Open Happening

GhostLock CreateFileW share-mode file-locking technique

Technical Analysis
H score31 First: 12.05.2026 01:02 Last: 12.05.2026 01:02 Sources 1

About this happening: **GhostLock** exposes a file-locking technique that abuses **Windows CreateFileW** to deny access to files on **local systems and SMB shares**. Because the method relies on legiti...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
H score53 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

Windows BlueHammer local public exploit privilege-escalation flaw

Vulnerability
H score59 First: 06.04.2026 22:19 Last: 06.04.2026 22:19 Sources 1

About this happening: **BlueHammer** is an **unpatched Windows local privilege escalation flaw** now paired with **public exploit code**, creating immediate risk of **SYSTEM** or elevated-admin takeove...

Latest development: 23.04.2026 14:05

CISA added CVE-2026-33825, known as BlueHammer, to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to patch Windows and Microsoft Defender systems within two weeks, with remediation due by May 7, after evidence that attackers were exploiting the flaw in zero-day attacks.

Open Happening

Timeline

  1. 16.06.2026 17:17 2 articles · 1h ago

    GhostTree NTFS junction loops evade recursive Windows scans

    Technical Analysis Update

    Researchers describe GhostTree and GhostBranch, which abuse NTFS junctions with no admin privileges to create recursive loops that generate effectively infinite Windows paths, making recursive folder scans and some EDR products hang and leaving malware unexamined. The technique was tested against Windows Defender, reported to Microsoft, and later patched.

    Show sources
    Open in new tab