A Hidden Door in Windows: How Attackers Can Blind Security Software to Malware
Researchers at Bitdefender have shown how a little-known Windows feature called bind links can be twisted to make malicious files invisible to the tools companies rely on to catch intrusions.

Key points
- Bitdefender researchers published findings in 2025 showing how Windows bind links can hide malware from endpoint detection software.
- Bind links are a legitimate Windows feature that can be abused to create two conflicting views of the same file system.
- Endpoint detection and response tools, the software security teams use to watch for malicious activity on computers, can be fooled into scanning the wrong location.
- No patch has been named; the technique exploits intended Windows functionality, not a traditional software flaw.
Your company's security software probably watches every folder on your computer. It logs what opens, what runs, and what changes. That watchfulness is the whole point. But researchers at Bitdefender have found a way to point those watchful eyes at the wrong place entirely.
The trick uses something called bind links. A bind link is a built-in Windows feature, completely legitimate, that lets one folder on a computer appear to exist at a different location at the same time. Think of it like a post-office redirect: mail sent to your old address quietly arrives at your new one. You see the new address. The post office sees the old one.
Attackers who know how to set up bind links can exploit that split view. They place malicious software, meaning programs designed to steal data or cause damage, in a location that the security tool is watching. Then they use a bind link to redirect where the file actually runs from. The security tool scans the decoy location, sees nothing harmful, and waves things through. The malware executes from the real location, unseen.
How worried should businesses be?
The short answer: attentive, not panicked. This technique requires the attacker to already have a foothold on the target machine. That is a meaningful bar. Getting through the door still requires the usual tricks: a phishing email that tricks a staff member into opening a malicious attachment, a stolen password, or an unpatched vulnerability in internet-facing software.
But once inside, bind link abuse gives an attacker a reliable way to stay hidden. That matters enormously. Most of the damage in serious breaches happens not at the moment of initial entry but in the days or weeks an attacker spends moving quietly through a network before anyone notices.
The broader problem, as SecurityWeek noted when covering the Bitdefender research, is that this is not a bug in Windows that Microsoft can simply patch. Bind links do exactly what they are supposed to do. That makes a clean fix complicated.
Security teams should pressure their endpoint detection vendors for specific guidance on whether their products are affected and what detection rules cover this class of abuse. Organisations should also treat initial-access prevention as their first priority: the bind link technique only matters if an attacker gets in at all.
For employees, the practical point is simple. Be suspicious of unexpected emails asking you to open files or click links. That is still how most attackers get their first foothold, and no amount of clever Windows trickery helps them if they never get through the front door.



