Phantom Code: Evading Windows 11 25H2 Through POSIX-Based Self-Deletion and Stealth Injection
Jakkaraju Varshith, Vivek Joshi
Nullcon Goa 2026 · Day 1
This talk, presented by Jakkaraju Varshith and Assistant Professor Vivek Joshi from Rashtriya Raksha University, delved into the persistent challenge of achieving **complete, untraceable file deletion** on modern Windows operating systems. Specifically, the researchers aimed to address the limitations of prior stealth deletion techniques on Windows 11 25H2, a version that has patched older evasion methods. The core problem for attackers, and thus a critical area of research for defenders, is the ability to execute malicious code, perform actions, and then completely vanish from a compromised system, leaving no forensic traces.
AI review
This transcript is almost entirely problem setup and background on a pre-existing technique (the Lloyd Labs ADS + FileDispositionInfoEx method), with zero actual disclosure of the novel solution. Every interesting technical claim — what the undocumented API is, how WSL interactions are exploited, what the actual POSIX-based deletion primitive looks like — is deferred to 'the full presentation.' What's left is a well-written literature review that could have been a blog post.