What is Zone.Identifier ADS in Windows?

It's an alternate data stream Windows attaches to downloaded files, marking their origin zone (like Internet = 3). Tools use it to flag risks; malware strips it to blend in.

How does malware persist using the Windows registry Run key?

Attackers add entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run, executing scripts at login without admin rights. Obfuscated names hide from scans.

Can antivirus detect ADS-removing malware scripts?

Some behavioral EDR catches PowerShell one-liners or registry changes, but static sigs miss variants. Hunt streams proactively.

🌐 Nation-State Threats

The Batch Script That Scrubs Windows ADS to Ghost Malware Persistence

Imagine malware that doesn't just hide its tracks; it pours bleach on them. This script erases Windows' Zone.Identifier ADS post-copy, fooling forensics into thinking it's local-born.

Threat Digest Apr 03, 2026 4 min read

Command prompt showing batch script copying file and removing Zone.Identifier ADS stream

⚡ Key Takeaways

Malware copies to APPDATA, then uses PowerShell to erase Zone.Identifier ADS, evading download-origin scans. 𝕏
Persistence via obfuscated Run key value executes dwm.cmd at boot, mimicking legit processes. 𝕏
LLMs incorrectly claim copies drop ADS; tests prove they preserve it, making removal a key evasion step. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#ADS Zone.Identifier #ADS removal #PowerShell evasion #Windows persistence #Windows registry evasion #Zone.Identifier #fileless malware #malware persistence

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by SANS Internet Storm Center

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Chinese Hackers Turn TrueConf's 'Secure' Updates into a Government Trap

North Korean Hackers' Slick Slack Trick: Inside the Axios npm Compromise

Drift's $285M Nightmare: DPRK's Nonce Social Engineering Masterclass

Iranian Hackers Erase Stryker's Digital Lifeline: Medtech's Nightmare Begins

Stay in the loop