Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)

This short technical note demonstrates how an attacker achieves persistence by copying a script into %APPDATA% and creating a Run registry entry, then uses PowerShell to remove the :Zone.Identifier alternate-data-stream to make the file appear less suspicious to DFIR tools; the script later invokes a DonutLoader payload. The write-up highlights an anti-forensics step (ADS removal) that can hinder detection and investigation of file-based malware despite claims of being "fileless."