{"id":2242,"date":"2026-04-01T11:05:04","date_gmt":"2026-04-01T11:05:04","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/"},"modified":"2026-04-01T11:05:04","modified_gmt":"2026-04-01T11:05:04","slug":"malicious-script-that-gets-rid-of-ads-wed-apr-1st","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/","title":{"rendered":"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)"},"content":{"rendered":"
\n

Today, most malware are called \u201cfileless\u201d because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something\u2026 think about persistence. They can use the registry as an alternative storage location.<\/p>\n

But some scripts still rely on files that are executed at boot time. For example, via a \u201cRun\u201d key:<\/p>\n

\nreg add \"HKCUSoftwareMicrosoftWindowsCurrentVersionRun\" \/v csgh4Pbzclmp \/t REG_SZ \/d \"\"%APPDATA%MicrosoftWindowsTemplatesdwm.cmd\"\" \/f >nul 2>&1<\/pre>\n
The file located in %APPDATA% will be executed at boot time.<\/p>\n
From the attacker\u2019s point of view, there is a problem: The original script copies itself:<\/p>\n
\ncopy \/Y \"%~f0\" \"%APPDATA%MicrosoftWindowsTemplatesdwm.cmd\" >nul 2>&1<\/pre>\n
Just after the copy operation, a PowerShell one-liner is executed:<\/p>\n
\npowershell -w h -c \"try{Remove-Item -Path '%APPDATA%MicrosoftWindowsTemplatesdwm.cmd:Zone.Identifier<\/span>' -Force -ErrorAction SilentlyContinue}catch{}\" >nul 2>&1<\/pre>\n
PowerShell will try to remove the alternate-data-stream (ADS) \u201c:Zone.Identifier\u201d that Windows adds during file operations. The :Zone.Identifier indicates the source of the file (1 = My Computer, 2 = Local intranet, 3 = Trusted sites, 4 = Internet, 5 = Restricted sites). It’s not clear if a “copy” will drop or conserver the ADS. I did not find an official Microsoft documentation but, if you ask to a LLM, it will tell you that they are not preserved. They are wrong!<\/p>\n
In my Windows 10 lab, I downloaded a copy of BinaryNinja. An\u00a0ADS was added to the file. After a copy to “test.ext”, the new file has still the ADS!<\/p>\n
\"\"By removing the ADS, the malicious script makes the file\u00a0look\u00a0less suspicious if the system is scanned to search for “downloaded”\u00a0files (a classic operation performed in DFIR investigations).\u00a0<\/p>\n
For the story, the script will later invoke another PowerShell that will drop a DonutLoader on the victim’s computer.<\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
Today, most malware are called \u201cfileless\u201d because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something\u2026 think about persistence. They can use the registry as an alternative storage location. But some scripts still rely on files that are executed at boot time. For […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-2242","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nMalicious Script That Gets Rid of ADS, (Wed, Apr 1st) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Today, most malware are called \u201cfileless\u201d because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something\u2026 think about persistence. They can use the registry as an alternative storage location. But some scripts still rely on files that are executed at boot time. For […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-01T11:05:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)\",\"datePublished\":\"2026-04-01T11:05:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/\"},\"wordCount\":290,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/\",\"name\":\"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png\",\"datePublished\":\"2026-04-01T11:05:04+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/","og_locale":"en_US","og_type":"article","og_title":"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st) - Imperative Business Ventures Limited","og_description":"Today, most malware are called \u201cfileless\u201d because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something\u2026 think about persistence. They can use the registry as an alternative storage location. But some scripts still rely on files that are executed at boot time. For […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-04-01T11:05:04+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)","datePublished":"2026-04-01T11:05:04+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/"},"wordCount":290,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/","name":"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png","datePublished":"2026-04-01T11:05:04+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260401-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/01\/malicious-script-that-gets-rid-of-ads-wed-apr-1st\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2242"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2242\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}