🌐 Nation-State Threats

The Batch Script That Scrubs Windows ADS to Ghost Malware Persistence

Imagine malware that doesn't just hide its tracks; it pours bleach on them. This script erases Windows' Zone.Identifier ADS post-copy, fooling forensics into thinking it's local-born.

Priya Sundaram πŸ“… Apr 03, 2026 ⏱️ 4 min read πŸ‘οΈ 0 views
Command prompt showing batch script copying file and removing Zone.Identifier ADS stream

⚑ Key Takeaways

  • Malware copies to APPDATA, then uses PowerShell to erase Zone.Identifier ADS, evading download-origin scans.
  • Persistence via obfuscated Run key value executes dwm.cmd at boot, mimicking legit processes.
  • LLMs incorrectly claim copies drop ADS; tests prove they preserve it, making removal a key evasion step.

🧠 What's your take on this?

Cast your vote and see what Threat Digest readers think

Priya Sundaram
Written by

Priya Sundaram

Hardware and infrastructure reporter. Tracks GPU wars, chip design, and the compute economy.

#ADS Zone.Identifier #ADS removal #PowerShell evasion #Windows persistence #Windows registry evasion #Zone.Identifier #fileless malware #malware persistence

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox β€” no noise, no spam.

Originally reported by SANS Internet Storm Center

Related Stories

πŸ“¬

Stay in the loop

The week's most important stories from Threat Digest, delivered once a week.

No spam. Unsubscribe any time.