Windows EPM Poisoning Flaw Enables Privilege Escalation via RPC Spoofing
A recently patched flaw in Microsoft’s Windows Remote Procedure Call (RPC) Endpoint Mapper (EPM) allowed attackers to impersonate legitimate system services and escalate privileges within a domain. The issue, tracked as CVE-2025-49760, stemmed from EPM’s failure to verify the identity of registered interfaces. This made it possible for an unprivileged user to register a built-in RPC interface before the real service started—something easily achievable during system boot or when services were configured for manual or delayed start. By hijacking an unused interface, the attacker could intercept RPC connections from privileged processes and coerce them into authenticating to a malicious server, leaking NTLM hashes in the process. These hashes could then be relayed to Active Directory Certificate Services (AD CS) to perform an ESC8 attack, request a Kerberos ticket, and gain domain-level privileges. Researchers at SafeBreach utilized a proof-of-concept tool called RPC-Racer to demonstrate how even Protected Process Light (PPL) services, designed to prevent tampering, could be manipulated to authenticate to attacker-controlled endpoints. The exploit chain could be launched with a simple scheduled task that registers the rogue interface, followed by triggering a high-privilege service to connect to it. Once the authentication attempt was captured, the attacker could pivot to full domain compromise, including dumping credentials from the domain controller. Beyond privilege escalation, the same EPM poisoning method could be adapted for adversary-in-the-middle attacks by forwarding requests to the real service, or for denial-of-service by registering multiple interfaces and blocking legitimate connections. Microsoft addressed the flaw in its July 2025 security updates; however, the attack exposed fundamental weaknesses in EPM’s design, which allows clients to trust data from unverified sources. Organizations should apply the latest patches immediately, monitor for suspicious RpcEpRegister activity using Event Tracing for Windows (ETW), avoid unnecessary manual or delayed service startups, and harden authentication flows to prevent NTLM relay attempts. These steps can significantly reduce the risk of similar RPC endpoint spoofing attacks in the future.
Win-DDoS Technique Turns Public Domain Controllers into Untraceable DDoS Botnet
SafeBreach researchers have detailed a new attack method, dubbed Win-DDoS, that exploits the LDAP referral process in Windows Domain Controllers (DCs) to transform them into high-bandwidth DDoS amplifiers without requiring the compromise of a single device. By sending a crafted RPC request to a DC, the attacker can force it to act as a CLDAP client, which then connects to the attacker’s server. This server responds with an LDAP referral containing a long list of URLs, all pointing back to the same victim system. The DCs repeatedly attempt to connect to these URLs in sequence, overwhelming the target with persistent TCP connections. Because the DCs are legitimate systems spread worldwide, the attack can be executed at a massive scale, making it difficult to trace back to the attacker. The process requires no credentials, no malware deployment, and no dedicated infrastructure, effectively weaponizing publicly accessible DCs into a stealth botnet. The impact of Win-DDoS is amplified by its efficiency and invisibility—domain controllers are critical infrastructure for authentication and service management, and many are exposed to the internet. SafeBreach demonstrated that tens of thousands of public DCs could be abused simultaneously, generating substantial attack traffic without leaving conventional forensic evidence. The flaw lies in the absence of referral size limits and the trust DCs place in provided LDAP referrals, which attackers can redirect toward any IP and port. Combined with the TorpeDoS technique, which accelerates RPC call rates to create DDoS-level disruption from a single system, Win-DDoS shows how existing Windows networking behavior can be turned against itself. Organizations should immediately audit and restrict LDAP and RPC access on DCs, remove public exposure wherever possible, monitor for abnormal LDAP referral patterns, and apply network-level filtering to prevent malicious referral loops from reaching internal or external assets.
RomCom Exploits WinRAR Zero-Day CVE-2025-8088 to Deploy Malware in Targeted Attacks
Researchers have confirmed that the Russian state-linked RomCom group exploited a previously unknown WinRAR path traversal flaw (CVE-2025-8088) in zero-day attacks, delivering multiple custom malware payloads. The vulnerability, discovered by ESET on July 18, 2025, allowed crafted RAR archives to bypass normal extraction paths using alternate data streams (ADS), placing malicious DLLs, executables, and shortcuts into sensitive directories. While many ADS entries pointed to invalid locations, including producing benign-looking error messages, malicious payloads were concealed deeper in the archive, enabling stealthy delivery. Once opened by the victim, executables were dropped into the %TEMP% or %LOCALAPPDATA% folder, while LNK files were placed in the Windows Startup folder to ensure persistence. The attacks delivered three known RomCom malware strains—Mythic Agent for C2 control, SnipBot for document-driven targeting, and MeltingClaw for modular payload execution, each with unique infection chains and conditional execution logic. RomCom’s use of WinRAR zero-days reflects its broader track record of leveraging high-impact, previously undisclosed vulnerabilities to gain footholds in targeted environments. In this campaign, the malware chains incorporated COM hijacking, modified signed binaries, and document-count triggers to evade detection and tailor attacks to specific victims. The choice of WinRAR as a delivery vector is strategic since its widespread use, lack of auto-update, and extensive feature set make it an attractive target for threat actors. Since exploitation required only that a victim open a malicious archive, no additional interaction or elevated privileges were necessary, allowing attackers to bypass traditional security controls. Organizations should update to WinRAR 7.13 or later immediately, implement attachment sandboxing for archive files, and restrict execution from the %TEMP% and %LOCALAPPDATA% directories. Proactive monitoring for unusual startup entries and ADS file writes can help detect similar attacks before persistence is established.
