A SANS ISC diary post explains how certain malware still writes at boot time and uses the Run registry key to launch itself, with the example showing a file saved under %APPDATA% and a command that copies the running script to the Windows Templates folder as dwm[.]cmd. The attacker’s script then runs a PowerShell one-liner to remove the alternate-data-stream :Zone[.]Identifier from the copied file, a step intended to make the downloaded file appear less suspicious during DFIR investigations.
The article notes that the :Zone[.]Identifier ADS indicates the file source (1 = My Computer, 2 = Local intranet, 3 = Trusted sites, 4 = Internet, 5 = Restricted sites), and reports an observation in a Windows 10 lab where ADS persisted after a copy operation. It also mentions that, after these steps, the story’s attacker will drop a DonutLoader on the victim’s computer. The diary was published on 1 April 2026, according to Xavier Mertens.