GhostTree Attack Abused Recursive Windows Junctions to Hide Malware

Attackers can create recursive NTFS junctions that point back to a parent directory, generating infinite file paths. This technique, called GhostTree, causes scanning tools including EDR products to follow the loop indefinitely. Malicious files in the same folder remain unexamined because the scanner never finishes.