Nov 25, 2025 at 5:51 AM EST

Malware Hiding in a Fake System32 Directory Using NTFS Trailing-Space Trick

CriticalLY

1 points

1 comments

Mood

informative

Sentiment

neutral

Discussion Activity

Light discussion

First comment

N/A

Peak period

Hour 1

Avg / period

Comment distribution2 data points

Loading chart...

Based on 2 loaded comments

Key moments

01Story posted
Nov 25, 2025 at 5:51 AM EST
5h ago
Step 01
02First comment
Nov 25, 2025 at 5:51 AM EST
0s after posting
Step 02
03Peak activity
1 comments in Hour 1
Hottest window of the conversation
Step 03
04Latest activity
Nov 25, 2025 at 8:26 AM EST
2h ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 2 comments

CriticalLY

5h ago

1 reply

I came across an interesting NTFS behavior where adding a trailing space in a Windows directory path creates a “ghost” folder that Explorer and most tools can’t display or access normally.

Attackers can abuse this to drop files inside what appears to be the real System32 directory, making the content extremely hard to notice.

I wrote a short breakdown with examples and behavior analysis.

Borg3

2h ago

At least, my Cygwin quickly complain there is sth wrong:

  % mkdir '//?/c:/test123 '
  % ls
  ls: test123 : No such file or directory

View full discussion on Hacker News

ID: 46044599Type: storyLast synced: 11/25/2025, 10:52:08 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Read Article View on HN

Nov 25, 2025 at 5:51 AM EST

Malware Hiding in a Fake System32 Directory Using NTFS Trailing-Space Trick

CriticalLY

1 points

1 comments

Mood

informative

Sentiment

neutral

Discussion Activity

Light discussion

First comment

N/A

Peak period

Hour 1

Avg / period

Comment distribution2 data points

Loading chart...

Based on 2 loaded comments

Key moments

01Story posted
Nov 25, 2025 at 5:51 AM EST
5h ago
Step 01
02First comment
Nov 25, 2025 at 5:51 AM EST
0s after posting
Step 02
03Peak activity
1 comments in Hour 1
Hottest window of the conversation
Step 03
04Latest activity
Nov 25, 2025 at 8:26 AM EST
2h ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 2 comments

CriticalLY

5h ago

1 reply

I came across an interesting NTFS behavior where adding a trailing space in a Windows directory path creates a “ghost” folder that Explorer and most tools can’t display or access normally.

Attackers can abuse this to drop files inside what appears to be the real System32 directory, making the content extremely hard to notice.

I wrote a short breakdown with examples and behavior analysis.

Borg3

2h ago

At least, my Cygwin quickly complain there is sth wrong:

  % mkdir '//?/c:/test123 '
  % ls
  ls: test123 : No such file or directory

View full discussion on Hacker News

ID: 46044599Type: storyLast synced: 11/25/2025, 10:52:08 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Read Article View on HN