The bottom line: Recursive NTFS junctions enable attackers to hang Defender scans and keep malware undetected.
An attack group called GhostTree uses recursive NTFS junctions to generate a vast number of valid Windows file paths and thereby block antivirus scans. The method can cause Microsoft Defender to never complete directory scanning.
The attack group GhostTree exploits a property of the NTFS file system structure: by creating recursive junctions (connections between directories), it is possible to generate a practically unlimited number of valid file paths. Each junction can point to a parent or other directory and thus build a self-generating repeating path structure.
The practical effect of this technique lies in overwhelming scan mechanisms: security solutions such as Microsoft Defender that perform directory scans get caught in an endless loop when they attempt to examine all supposedly existing paths. The scan operation never completes, timeouts can be triggered, and the system remains stuck in this blocked state. While the scan runs and hangs, malware can remain hidden in the actual file system areas and operate undetected.
For Chief Information Security Officers (CISO), this attack variant is relevant because it demonstrates that established security products can be paralyzed by simple file system tricks—regardless of their otherwise strong detection capabilities. Defender is rendered unusable through resource exhaustion without a classic vulnerability or sandbox escape occurring. This underscores the necessity to employ behavioral detection, threat hunting, and network monitoring in addition to automated scans to see through such evasion methods.
Source: www.bleepingcomputer.com · Published June 16, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.