How can an attacker use Windows Junction Folders to establish persistence on a system?

An attacker can create a Junction Folder with a special CLSID name (e.g., `test.{1111...}`) and add a registry entry under `HKEY_CURRENT_USER\Software\Classes\CLSID\{CLSID}\InProcServer32` pointing to a malicious DLL. When the folder is opened (e.g., via Explorer), the DLL is loaded. For automatic startup at user logon, the folder can be placed in the Start Menu or its subdirectories. This technique, detailed in the Penetration Techniques - Backdoor Exploitation of Junction Folders and Library Files article, requires only user privileges and leverages registry and folder manipulation.