A Sneaky Malware Trick Just Got Patched
Windows 11’s latest 24H2 update has accidentally (or intentionally?) broken a long-standing malware evasion trick known as the Lloyd Labs self-delete method. This technique, used by both cybercriminals and security researchers, allowed files to completely erase themselves after execution making forensic analysis much harder.
Now, thanks to changes in how Windows handles file deletions, this trick no longer works as expected. But as always in cybersecurity, the game of cat and mouse continues.
How the Lloyd Labs Self-Delete Trick Worked
For years, malware authors and red-teamers (ethical hackers testing security) relied on this clever method to make files disappear without a trace. Here’s how it worked in older Windows versions (pre-24H2):
Open the file with special DELETE permissions.
Rename the file’s data stream to make it harder to track.
Close and reopen the file to prepare for deletion.
Mark it for deletion using SetDispositionInformation.
Close the handle poof! The file vanishes completely.
This was perfect for malware that needed to execute and then erase itself before security tools could analyze it.
Why Windows 11 24H2 Broke It
Microsoft’s latest update tweaked how the NTFS file system (the tech behind Windows file storage) handles deletions. Instead of fully wiping files, 24H2 now moves the contents to a hidden alternate data stream.
So, while the file appears deleted, its data still lingers on the disk defeating the whole purpose of self-deletion.
Researchers discovered this when their tools suddenly failed. After digging into the NTFS.sys driver, they found that Microsoft had modified the NtfsSetDispositionInfo function, adding new security checks that block the old method.
The New Workaround (Because Hackers Adapt Fast)
Of course, the cybersecurity world didn’t take long to find a fix. The new method involves:
Using FILE_DISPOSITION_POSIX_SEMANTICS (a fancy way to force-delete files).
Combining it with FileDispositionInformationEx instead of the old method.
This tweak bypasses Microsoft’s new restrictions, allowing files to fully self-destruct again.
What This Means for Security
This change highlights the never-ending battle between OS security upgrades and evasion techniques. While Microsoft likely didn’t intend to break this specific trick, the update makes life slightly harder for malware at least until hackers adjust.
For security teams, this means:
Old detection tools might need updates.
New forensic methods will be needed to catch stealthy malware.
Red teams (ethical hackers) must revise their training tools.
Final Thoughts: The Cybersecurity Arms Race Continues
Windows 11 24H2’s changes show how even small OS tweaks can disrupt well-established hacking techniques. But as history proves, where there’s a will (and a paycheck), there’s a way—malware authors will always find new tricks.
For now, though, Microsoft has scored a small win in the endless game of digital hide-and-seek.
Discover more from CyberAwareHub
Subscribe to get the latest posts sent to your email.