Malware Hiding in a Fake System32 Directory Using NTFS Trailing-Space Trick

Postedabout 2 months agoActiveabout 2 months ago

CriticalLY

1 points

1 comments

medium.comSecuritystory

informativeneutral

Debate

20/100

Windows SecurityNtfs VulnerabilitiesMalware Evasion Techniques

Key topics

Windows Security

Ntfs Vulnerabilities

Malware Evasion Techniques

Discussion Activity

Light discussion

First comment

N/A

Peak period

0-1h

Avg / period

Key moments

01Story posted
Nov 25, 2025 at 5:51 AM EST
about 2 months ago
Step 01
02First comment
Nov 25, 2025 at 5:51 AM EST
0s after posting
Step 02
03Peak activity
1 comments in 0-1h
Hottest window of the conversation
Step 03
04Latest activity
Nov 25, 2025 at 8:26 AM EST
about 2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 2 comments

CriticalLYAuthor

about 2 months ago

1 reply

I came across an interesting NTFS behavior where adding a trailing space in a Windows directory path creates a “ghost” folder that Explorer and most tools can’t display or access normally.

Attackers can abuse this to drop files inside what appears to be the real System32 directory, making the content extremely hard to notice.

I wrote a short breakdown with examples and behavior analysis.

Borg3

about 2 months ago

At least, my Cygwin quickly complain there is sth wrong:

  % mkdir '//?/c:/test123 '
  % ls
  ls: test123 : No such file or directory

View full discussion on Hacker News

ID: 46044599Type: storyLast synced: 11/25/2025, 10:52:08 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN