RPC Archives

Winsage

June 25, 2026

Introduction to COM usage by Windows threats

Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.

Tech Optimizer

June 6, 2026

Azure HorizonDB Enters Public Preview: Web IQ Already Powers Copilot and ChatGPT

Microsoft announced the public preview of Azure HorizonDB, a fully managed PostgreSQL-compatible database designed for agentic AI workloads, during Microsoft Build 2026 in San Francisco. HorizonDB features a "database-as-logs" architecture, allowing for sub-millisecond multi-zone commit latency and independent scaling of compute and storage. It incorporates a Rust-based storage engine, native DiskANN vector search, and in-database AI model invocation. Additionally, Microsoft launched Web IQ, a web-grounding API layer integrated into Microsoft Copilot and OpenAI's ChatGPT, which provides passage-level structured evidence objects rather than full documents. Web IQ is model-agnostic and aims to enhance information density and reduce costs. Both services are currently in limited availability, with HorizonDB open for preview signups across five Azure regions.

Winsage

June 1, 2026

Critical Windows Netlogon RCE flaw now exploited in attacks

The Centre for Cybersecurity Belgium (CCB) has warned about the exploitation of a critical vulnerability in Windows Netlogon, identified as CVE-2026-41089, which allows remote code execution on domain controllers without prior access or authentication. This vulnerability, characterized as a stack-based buffer overflow, was patched by Microsoft during the May 2026 Patch Tuesday. The CCB emphasized the urgency of patching vulnerable servers, noting that the vulnerability is actively being exploited. The CVSS score for this vulnerability is 9.8. Further details on the ongoing attacks have not been disclosed, and Microsoft has not updated its advisory on the vulnerability.

Winsage

May 28, 2026

Windows Server 2016 Update: Disastrous Bug Breaks AD

Microsoft released a mandatory patch (KB5087537) for Windows Server 2016 to enhance cryptographic layers and address critical vulnerabilities. This update is essential for organizations using legacy workloads, as mainstream support ended in January 2022, but extended support continues until January 12, 2027. The patch aims to prepare systems for the expiration of Windows Secure Boot certificates in June 2026, which, if not updated, could compromise security and expose systems to malware. The update uses a phased deployment model and includes a new SecureBoot folder to assist IT professionals in managing certificate status. It also addresses various quality-of-life issues, including bugs affecting Remote Desktop Connection and authentication errors with Microsoft services. However, a significant issue arises when the host server name is exactly 15 characters long, causing failures in the domain controller discovery process and obstructing critical operations. This bug is linked to the historical 15-character limit of NetBIOS, which affects the Active Directory lookup mechanism. Microsoft has acknowledged the issue but has not provided a timeline for a fix, leaving administrators to either rename servers or uninstall the update. As the Secure Boot deadline approaches, IT departments must carefully assess their environments to avoid disruptions while ensuring security compliance.

AppWizard

April 29, 2026

Minecraft 26.2 Snapshot 5

The 26.2 Snapshot 5 introduces several new features, including an explosive archetype for the Sulfur Cube and the addition of erupting Geysers formed by Potent Sulfur. The new Sulfur Cube archetype, called Explosive, shares properties with the Regular archetype but has higher air drag and can absorb TNT blocks. When primed, absorbed TNT has a fuse time of 6 seconds when ignited by fire or Redstone, and a randomized fuse time between 0.75 and 3 seconds when primed by an explosion. Sulfur Cubes with absorbed TNT cannot be picked up or damaged, and no Small Sulfur Cubes will spawn upon explosion. Potent Sulfur creates Geysers when placed above a Magma block and under water, sending water particles skyward at random intervals. Various adjustments have been made to mob hitboxes, and Hoglins are now classified as hostile and will not spawn on Peaceful difficulty. New sounds for Geyser eruptions have been added, and Touchscreen Mode has been removed. The Data Pack version is now 104.0, and the Resource Pack version is 86.2. New particles related to Geysers have been introduced, and several bugs have been fixed in this update.

Winsage

April 28, 2026

‘Unlimited Attack Vectors’—All Windows Versions At Risk From New Flaw

Microsoft is facing a significant security vulnerability in its Windows operating system known as PhantomRPC, which allows for privilege escalation. Cybersecurity experts have expressed concern over the company's delayed response in issuing a patch for this flaw. The vulnerability resides within the Windows Remote Procedure Call (RPC) architecture and enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Researcher Haidar Kabibo identified five distinct paths for exploitation, which require user interaction, coercion, or compromise of background services. Despite disclosing the vulnerability to Microsoft in September 2025, the company categorized it as moderately severe and did not issue a patch or a Common Vulnerabilities and Exposures (CVE) listing. Microsoft stated that the technique requires an already-compromised machine and emphasized the importance of following security best practices. Experts have criticized Microsoft's lack of action, arguing that it is operationally negligent and places the burden of risk management on users. In the absence of a patch, security professionals recommend focusing on access control and environmental hygiene to mitigate the risks associated with the vulnerability.

Winsage

April 25, 2026

New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

PhantomRPC is a significant architectural vulnerability in the Windows Remote Procedure Call (RPC) framework that allows local privilege escalation to SYSTEM-level access across all Windows versions. Discovered by Kaspersky's Haidar Kabibo at Black Hat Asia 2026, this vulnerability stems from the RPC runtime's failure to verify the legitimacy of a responding server during calls to offline or disabled servers. Attackers can exploit this by setting up a malicious RPC server that impersonates a legitimate endpoint, using the RpcImpersonateClient API to escalate privileges from low-privileged accounts to SYSTEM or Administrator levels. Five distinct exploitation paths have been identified: 1. gpupdate.exe coercion: An attacker can intercept an RPC call made by the Group Policy Client service when executing gpupdate /force, granting SYSTEM-level access if TermService is disabled. 2. Microsoft Edge startup: Launching msedge.exe triggers an RPC call to TermService, allowing privilege escalation from Network Service to Administrator via a spoofed endpoint. 3. WDI background service: The Diagnostic System Host polls TermService regularly, enabling an attacker to exploit this without user interaction. 4. ipconfig.exe and DHCP Client: Running ipconfig.exe initiates an RPC call to the DHCP Client service, allowing a Local Service attacker to elevate privileges if DHCP is disabled and a fake server is present. 5. w32tm.exe and Windows Time: An attacker can expose a named pipe endpoint, allowing them to impersonate any privileged user executing the Windows Time executable. The vulnerability was reported to Microsoft on September 19, 2025, but Microsoft categorized it as moderate severity and closed the case without a patch, as the attack requires SeImpersonatePrivilege, which is granted by default to certain accounts. Organizations are advised to implement defensive measures such as enabling RPC monitoring, ensuring legitimate services are running, and restricting SeImpersonatePrivilege. Kaspersky has provided tools for auditing environments for exploitable RPC call patterns through the PhantomRPC GitHub repository.