A newly documented attack technique, GhostTree, turns a mundane Windows file system feature into a denial-of-service weapon against security scanners. With two mklink commands, an attacker can generate an incomprehensible 2^126 unique file paths, each one valid, each one pointing at the same malware. Recursive scanners never finish; they chase the loop and hang.
How GhostBranch Creates an Infinite Loop
NTFS junctions are reparse points that let one directory transparently point to another. Any user can create them with write access to the parent folder. The simpler variant, GhostBranch, uses a single junction that points back at its own parent: mklink /J C:\Parent\Child C:\Parent. The child folder now contains everything the parent does, including itself, creating an endless loop. Every path of the form C:\Parent\Child\Child\...\malware.exe resolves to the same file. Classic Windows enforces a 260-character path limit, so you can stack about 126 single-letter directory names before hitting the ceiling.
GhostTree: Binary Explosion of Paths
GhostTree extends the idea by creating two or more child junctions that each loop back to the parent: mklink /J C:\Parent\P C:\Parent and mklink /J C:\Parent\B C:\Parent. Now each level in the path can branch through either "P" or "B", effectively building a binary tree of depth 126. The total number of distinct paths is 2^126, roughly 8.5 × 10^37. That number is larger than the atoms in your body (10^27) and the grains of sand on Earth (8.5 × 10^18) combined. A single folder holding one malicious executable becomes a dense forest of paths, all pointing at the same file.
Why Defenders Should Rethink Recursive Scans
The consequence is straightforward and grim. Running dir /s on the parent folder will never finish. EDR products that recursively enumerate files to discover threats will follow the loop and hang, leaving the malware untouched. An attacker does not need admin rights, just write access to a folder users commonly control (e.g., %TEMP% or C:\Users\Public). The technique was demonstrated by researchers who have not yet named an affiliated institution, but the mechanism is fully reproducible with any standard Windows 10 or 11 system. Defenders must either switch to non-recursive scanning strategies or teach their scanners to detect and break out of junction loops before timing out.
Expect EDR vendors to patch this by capping recursion depth or detecting self-referential junctions. Until then, any folder writable by an unprivileged user is a potential hiding spot.
Source: GhostTree Attack Abused Recursive Windows Junctions to Hide Malware
Domain: bleepingcomputer.com
Comments load interactively on the live page.