Sophisticated DKIM Replay Attack Exploits Google Infrastructure to Deliver Phishing
Cybersecurity researchers at EasyDMARC recently uncovered an advanced phishing technique that exploits Google’s email infrastructure through a method known as a DKIM replay attack, allowing malicious emails to appear fully authenticated and sent from no-reply@google[.]com. The attacker first creates a Google Workspace account and sends a Google-generated security alert—triggered by granting an OAuth app access to a controlled inbox—to their own “me@domain” address. This message, legitimately signed by Google’s DKIM system, is then forwarded to targeted victims, preserving its trusted authentication status. Because the DKIM signature validates only the headers and body, not the full envelope, the spoofed email passes verification checks and is grouped with real Google security alerts. The phishing email links to a fraudulent support portal hosted on sites.google.com, a legitimate Google subdomain crafted to resemble Google’s official login page. This approach significantly increases the chance of success, as the page appears trustworthy and avoids triggering typical browser or email security warnings. The attack is refined by using the “me@” email format, making the message personalized and delivered directly to the recipient. The attacker abuses Google’s automated behavior by embedding the entire phishing lure in the OAuth app’s name, including the body of the fake subpoena message displayed in the security alert email. Extra white space is inserted to hide the real context and manipulate how the alert appears visually in the inbox. In addition to the spoofed email address and trusted domain hosting, the message includes links to other misleading artifacts, including xd.website, xd.url, and xd.link, enhancing the attack’s redundancy in case the primary lure fails. This level of abuse shows how threat actors leverage trusted cloud platforms not only to host malicious content but also to deliver phishing emails that pass authentication protocols, making detection and prevention significantly more difficult for users and security systems.
WinDbg Preview Exploit Bypasses WDAC to Enable Remote Code Execution
Security researchers at CerberSec have revealed a new technique that allows attackers to bypass strict Windows Defender Application Control (WDAC) policies by leveraging WinDbg Preview, a legitimate debugging tool available through the Microsoft Store. This method, detailed in a report by CerberSec, exposes a significant oversight in many WDAC deployments: while legacy versions of WinDbg (windbg.exe) are commonly blocked, WinDbg Preview (WinDbgX.exe) is often excluded from custom or Microsoft-recommended blocklists. In tightly locked-down environments where unsigned executables and DLLs are normally restricted, this technique enables attackers to inject and execute shellcode entirely in memory without using flagged binaries or DLLs. The shellcode is encoded into a WinDbg script and loaded byte-by-byte into memory using the debugger’s scripting interface, then executed using standard Windows API calls such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Because WinDbg Preview is a trusted, signed Microsoft application, it is rarely scrutinized by endpoint protection systems or included in execution control policies. This gives attackers a reliable way to achieve remote code execution and process injection, even on systems configured with hardened security policies. Unlike traditional malware, this method does not rely on dropping files to disk or using common tools already under surveillance, making detection far more difficult. The exploit underscores the need for organizations to block WinDbg Preview explicitly through updated WDAC rules and to disable Microsoft Store access where it is not essential. Additionally, security teams should monitor for unusual usage patterns involving debugging tools and process manipulation techniques to detect potential abuse early. This incident highlights how overlooked administrative tools can become vectors for bypassing robust controls when not proactively managed.
Billbug Hackers Deploy New Malware and Credential Tools in Southeast Asia Espionage Campaign
Billbug, also known as Lotus Blossom, is a suspected Chinese state-sponsored threat actor active since at least 2014 and is known for targeting government and defense-related entities across Asia. In its latest campaign, the group has focused on compromising critical organizations across Southeast Asia's aviation, telecommunications, government, media, and construction sectors. The activity was uncovered by Symantec researchers, who observed a range of new tools and advanced techniques used to infiltrate and persist within highly sensitive environments. Central to the campaign was an updated version of the Sagerunex backdoor, which established persistence by modifying registry settings to run as a service, giving attackers flexible remote control for command execution and data theft. A reverse SSH tool was also deployed, enabling stealthy outbound connections on port 22 to maintain long-term access to compromised systems without triggering alarms. The group also used advanced credential harvesting tools, including multiple variants of ChromeKatz and CredentialKatz, designed to extract browser credentials and session cookies from Chrome to further their access within targeted environments. To bypass endpoint defenses, Billbug relied on DLL sideloading, abusing trusted binaries like Trend Micro’s tmdbglog.exe and Bitdefender’s bds.exe to load malicious DLLs (tmdglog.dll, log.dll) that executed encrypted payloads hidden in local directories. These sideloaded components blended with legitimate processes, reducing detection risk and enabling deeper system compromise. The campaign impacted many victims, including an air traffic control agency, a telecom operator, a news outlet, and a government ministry. Symantec has issued updated guidance and IOCs to help organizations detect and defend against this threat. Security teams should prioritize reviewing execution policies, monitoring for abnormal application behavior, and blocking known Billbug infrastructure to prevent further compromise.
New Command-Line Obfuscation Technique Bypasses AV and EDR Detection
Researchers at ArgFuscator have disclosed a powerful new evasion technique that allows attackers to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) systems by manipulating how command-line arguments are parsed and analyzed. The method, detailed through the open-source tool ArgFuscator, focuses on command-line obfuscation—a technique that alters the syntax of legitimate commands without changing their behavior. A publicly available PoC, ArgFuscator, demonstrates over 70 command-line obfuscation techniques and is actively maintained to help security teams test and improve detection capabilities. Unlike traditional shell-based methods, this approach exploits parsing inconsistencies in the executables themselves, making the obfuscation environment-independent. These techniques have been successfully used against widely trusted system tools, including taskkill, reg, and curl, enabling threat actors to execute malicious operations while evading behavioral detection mechanisms that rely on standard argument patterns. Tests conducted across 70 Windows executables showed that all were susceptible to varying levels of argument manipulation. Obfuscation strategies documented by ArgFuscator include character substitution (e.g., replacing “export” with “eˣport”), unconventional path formatting, extra quoting, and even numeric value distortion. These alterations confuse AV/EDR engines without affecting execution, enabling “malwareless” attacks where threat actors avoid dropping files altogether. As defenders increasingly depend on behavioral signals for detection, this tactic presents a critical blind spot in command-line monitoring. Security professionals are advised to normalize command-line inputs before analysis, monitor for unexpected use of Unicode or excessive quoting, and correlate command activity with broader telemetry, including network behavior and process context. This research underscores a growing threat trend: highly adaptive attackers misusing trusted tools to blend into legitimate activity, forcing defenders to refine detection beyond conventional signature- or argument-based approaches.
