What are Library Files (.library-ms) and how are they abused for backdoor persistence?

Library Files (`.library-ms`) are XML-based Windows files that aggregate content from multiple folders into a single view. Attackers modify them, e.g., `Documents.library-ms` at `%appdata%\Microsoft\Windows\Libraries`, by adding an XML element referencing a CLSID that points to a malicious DLL in the registry. When a user accesses the library (e.g., from the Start Menu or Explorer), the DLL loads. This method is similar to Junction Folders but requires an extra registry key (`ShellFolder\Attributes`). The article at Penetration Techniques - Backdoor Exploitation of Junction Folders and Library Files explains the setup and how it can be triggered at startup.