Archive for July 1, 2026

Harness Launches Autonomous Worker Agents for Software Delivery

Posted in Commentary with tags on July 1, 2026 by itnerd

Harness, the AI Software Delivery Platform company, today launched Autonomous Worker Agents for software delivery: the platform for enterprises to build and safely run AI agents that handle the work between writing code and shipping it to production. 

Software delivery has moved through phases. First, people did the work by hand. Then they wrote scripts for individual jobs like deployment. Most recently, they connected those jobs into automated pipelines that follow fixed instructions, which is what Harness has run for large enterprises for years. Worker Agents are the next phase. Every step in the pipeline can now run as a reasoning agent rather than a fixed script, with the context, governance, sandboxing, and audit trails that enterprises need to trust agents in production.

Dozens of Harness Managed Agents are available today, and any team can customize them or build their own. A new Harness Agent Marketplace makes it easy to find, use, and share them.

The controls that keep agents safe in production 

Autonomous Worker Agents run on infrastructure that the customer controls. Code and data never leave the customer’s network, and agents are governed by the same controls enterprises already use for human deployments.

These controls make Autonomous Worker Agents safe to run in production:

  • Sandboxing: Agents run in isolated containers with restricted file and network access. An agent that produces a malicious command has nowhere to send data.
  • Scoped credentials: Each agent has its own identity and the specific set of permissions assigned to it, the same way an employee does. An agent can only take the actions those permissions allow, no matter who triggers it or what its prompt says.
  • Policy enforcement: The same policies that gate human deployments gate agents. A policy can keep agents off non-approved models or out of production pipelines.
  • Audit trails: Every agent action is recorded under a distinct AI identity, with full provenance: what triggered the agent, what it did, and the outcome.
  • Cost tracking: Token spend is surfaced per agent, per pipeline, with budget caps that stop an agent when it hits its limit.
  • Chaining: Agents compose into multi-step workflows, passing output from one to the next.

Easy to build, governed by your policies

Building an Autonomous Worker Agent uses the same agent-file format that has become standard across the industry. Save it to a single file, commit it to your repository, and the agent is live, governed, and available across your organization. Teams that would rather not write the file can use Harness AI to generate the agent for them. Either way, the agent runs as a governed pipeline step with the same controls, audit trail, and policy enforcement as everything else.

Once it runs, the agent has your organization’s full context. It reasons using the Harness Software Delivery Knowledge Graph, a connected map of your services, pipelines, deployments, infrastructure, incidents, and security findings. An agent assessing a vulnerability knows which services are affected and who owns them. A deployment agent knows which services depend on the one being deployed. The result is a response built for your specific environment, not a generic fix that only looks right.

Agents also meet you where you work. Through the Harness MCP Server, a developer in Cursor, Claude Code, or another tool can assign a task to a Worker Agent and have it run in Harness, with the result returned to wherever it was triggered. Wherever an agent runs, it runs under your organization’s policies, governed the same way as every other step in your pipeline.

Harness-built agents, ready to use today

Harness has pre-built Autonomous Worker Agents that handle the repetitive, time-consuming work that slows teams down across the delivery lifecycle. Here are a few of the agents available today, with more added regularly:

  • Autofix reads build logs, identifies the root cause of a build failure, commits a fix to the PR branch, and re-triggers builds until it passes.
  • Code Review reviews PR diffs for code quality, security issues, and test coverage.
  • Code Coverage identifies untested lines and generates tests to close coverage gaps.
  • Feature Flag Cleanup detects stale flags and validates safe removal.
  • Manifest Remediator analyzes failed Kubernetes deployments and fixes manifest issues.
  • IaCM Remediation fixes configuration drift, security findings, and cloud cost issues by editing infrastructure configurations.

The Harness Agent Marketplace

The Harness Agent Marketplace is a shared catalog where Worker Agents are published and reused across an organization and the broader Harness community. Teams can adopt an existing agent rather than build their own, and contribute the agents they build back to the catalog.

It has three tiers:

  • Harness Managed: Built, maintained, and SLA-backed by Harness.
  • Harness Certified: Built by partners, reviewed and certified by the Harness engineering and security teams.
  • Community: Published by the broader Harness community. Organizations can use out-of-the-box policies to control which community agents run in production.

Every agent in the Marketplace can be forked. A team can clone an existing agent and adjust the prompt, tools, or triggers to fit their environment. The agent one team builds to solve a problem becomes the starting point for the next team that hits the same roadblock.

Bring your own model

Autonomous Worker Agents work with any LLM provider. Connect Anthropic, AWS Bedrock, or Google Vertex AI through existing Harness connectors, and switch models per agent, per environment, or per pipeline without rewriting the agent.

Availability

Autonomous Worker Agents and the Harness Agent Marketplace are now generally available to all Harness customers. For more information, visit https://harness.io/platform/worker-agents.

Guest Post: Fake Interpol Investigation Emails Are Targeting Small Businesses with Ransomware

Posted in Commentary with tags on July 1, 2026 by itnerd

Think your small business is too small to be targeted by ransomware?

That’s precisely the assumption cybercriminals hope you’ll make.

Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials.

The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware.

Key takeaways

  • Researchers at Bitdefender Antispam Lab have identified a malicious campaign impersonating Interpol
  • The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive.
  • Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware.
  • The ransomware appears to be a custom-built payload rather than a known ransomware family.
  • The operation targeted organizations across Europe, Asia, the Middle East, and the United States.
  • Small businesses are particularly at risk because many lack dedicated IT and cybersecurity resources.

How the attack works

The emails arrive with an urgent tone, claiming to be from Interpol’s cybercrime investigation unit, which is conducting a compliance or security review.

Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible.

The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.

To review the alleged evidence, recipients are directed to a Proton Drive link containing a password-protected archive. The password is conveniently included in the email itself.

Once opened, the archive appears to contain a video file documenting the supposed activities under investigation.

Instead, the victim is greeted with malware.

The attackers use a familiar trick: disguising an executable as a video file in the hope that recipients won’t notice the difference before opening it.

The malware isn’t sophisticated. The social engineering is.

According to researchers Viorel Vrabie and Andrei Mogage, the fake video contains a ransomware payload hidden within multiple archive layers.

Once executed, the malware seeks to encrypt files across available drives and presents victims with a ransom message:

“Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.

Do not delete any files or change their locations. Do not scan your computer, as this may complicate the recovery process.

We are available only through Tox.”

One interesting detail is what the ransom note doesn’t say:

Unlike older ransomware attacks that immediately demanded a fixed payment amount, this note doesn’t specify a ransom at all. Instead, victims are instructed to contact the attackers through a Tox chat channel.

This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact. The final ransom may depend on the size of the organization, the perceived value of its data, and its ability to pay.

The researchers also found that the malware itself is relatively simple. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.

Bitdefender researchers observed the campaign targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.

The campaign was also geographically diverse, with targets identified across Europe, Asia, the Middle East, and the United States.

Is this attack linked to a major ransomware gang?

In fact, the malware seems much simpler than the tools typically used in major ransomware operations. Beyond the relatively basic code observed by our researchers, another notable difference is how victims are instructed to make contact.

Most modern ransomware-as-a-service (RaaS) groups direct victims to a dedicated negotiation portal hosted on the dark web, where they can exchange messages, receive payment instructions, and negotiate the ransom.

In this campaign, however, the attackers simply provide a Tox chat ID. There is no dedicated negotiation portal or victim site, which is another indication that this is likely a custom-built operation rather than the work of an established ransomware group.

This suggests the malware may have been custom-built or assembled using publicly available code and tools.

The campaign highlights an important trend: cybercriminals no longer need the resources or expertise of a large ransomware gang to launch disruptive attacks. Even relatively simple malware can become a serious threat when paired with convincing social engineering.

In this case, the fake investigation email does much of the heavy lifting. The attackers rely on fear, urgency, and authority to persuade victims to launch the malware themselves.

Why small businesses remain attractive targets

Small businesses are often viewed as easier targets than large enterprises.

Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training.

When an alarming email arrives claiming to involve investigators, compliance issues, or evidence of misconduct, there may be no formal process for verifying the claims before someone clicks.

Attackers understand this reality and design campaigns specifically to exploit it.

What should you do if you opened the file?

If you downloaded and opened a file like the one used in this campaign, don’t panic, but don’t ignore it either. Acting quickly can make a big difference.

Disconnect the affected device from the network. If ransomware or other malware is running, taking the computer offline may help prevent it from communicating with attacker-controlled servers or spreading to shared drives and other devices.

Run a full security scan. Use a trusted security solution, such as Bitdefender Ultimate Small Business Security, to perform a complete scan of the affected device. Even if nothing appears unusual, remember that some threats are designed to remain hidden until they’ve completed their job.

Notify your IT administrator or managed service provider, where possible. If you’re part of a business, don’t try to deal with the incident alone. The sooner your IT team is aware, the faster they can isolate affected systems and prevent additional damage.

Inform your team about the attack. Awareness can also make a huge difference in protecting your business, devices, data, and reputation.

Change important passwords from a clean device. If there’s any chance the malware also harvested credentials, update passwords for your business email, cloud storage, financial accounts, and collaboration platforms. Use strong, unique passwords and enable multi-factor authentication wherever it’s available.

Look for signs of suspicious activity. Watch for unexpected login alerts, password reset emails, unfamiliar transactions, or files that suddenly become inaccessible. Continue monitoring your accounts over the following days, as some attacks don’t reveal their full impact immediately.

Report the incident. Report the phishing email through your email provider’s “Report phishing” feature and notify the organization being impersonated when appropriate. If your business has been infected or you suspect ransomware was executed, consider reporting the incident to your national cybersecurity agency. Sharing information about active campaigns helps authorities warn other organizations and better understand emerging threats.

You may also want to read: What to do if you clicked a phishing link in a business email

How to protect your small business moving forward

Campaigns like this prove that ransomware attacks don’t always begin with sophisticated hacking techniques. Often, they start with a message designed to create panic.

To reduce the risk of your small business falling victim to a similar ransomware attack:

Verify all unsolicited correspondence before acting: If you receive a message claiming to come from law enforcement, regulators, or another authority, don’t rely on the contact details provided in the email. Reach out through official channels to confirm whether the communication is legitimate.

Note: One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don’t send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing. If you receive a message like this, resist the urge to investigate on your own. Instead, verify the communication through official channels before opening any attachments or downloading files.

  • Treat password-protected archives with caution, especially when the password is included in the email.
  • Show file extensions on Windows devices: This makes it easier to spot executables masquerading as videos or documents.
  • Enable multi-factor authentication wherever possible. MFA won’t stop ransomware that’s already running, but it can prevent attackers from accessing your business accounts if they also try to steal passwords.
  • Keep systems and software up to date. Regular security updates help close vulnerabilities that attackers may exploit before or after a phishing attack.
  • Train employees to recognize scams: Criminals increasingly rely on fear and urgency rather than technical exploits.
  • Maintain secure backups: Reliable backups remain one of the best defenses against ransomware.
  • Use layered security designed for small businesses: Even well-trained employees can have an off day, and attackers count on those moments. Solutions such as Bitdefender Ultimate Small Business Security add another layer of defense by helping block phishing emails, detecting malicious downloads, identifying suspicious behavior, and stopping ransomware in its tracks.

This article is published for informational and educational purposes only. The information presented is based on technical research conducted by Bitdefender Labs and publicly available sources. Bitdefender does not make any legal determination regarding the activities described herein. The mention of any company, brand, domain, or individual does not constitute an accusation of illegal activity. Readers should exercise their own judgment and consult appropriate authorities or legal counsel if they believe they have been affected by any of the activities described. Domain names and URLs listed in this article are provided solely to help consumers and security professionals identify potentially harmful infrastructure. Bitdefender disclaims any liability for actions taken based on the information in this article.

Comparitech Research: Which industry & country has the worst email security? An analysis of 5,800+ domains

Posted in Commentary with tags on July 1, 2026 by itnerd

Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails. 96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, Comparitech’s findings found that more than eight percent of organizations’ domains are fully unprotected. 

This Wednesday, Comparitech researchers will be publishing a new study looking into this very subject by analyszing the live DNS records for 5,849 domains across 13 sectors, scoring each based on a series of frameworks. 

Key findings include: 

  • 487 of the total domains scanned (5,849) had zero protection (8.3%)
  • Government domains had the lowest average score – 2.73
  • Tech company domains had the highest average score – 4.83
  • China had the lowest average score – 2.3

Additionally, Rebecca Moody, Head of Data Research at Comparitech, provided the following comment on the subject: 

“If you asked people which industries they’d like to assume are meeting basic cybersecurity standards, government agencies and healthcare providers would likely be among some of the most popular answers. Our study highlights that, when it comes to standard email security, this couldn’t be further from the truth. 

The fact that over 1 in 4 government agencies and 1 in 5 healthcare providers have zero email protection is incredibly concerning, particularly when the factors we’ve assessed (SPF, DMARC, DKIM, or MTA-STS) are what many would call “standard” protocols. Equally, these sectors are often subject to more regulation, demonstrating that even when they should be meeting these requirements by law, they often aren’t.

One of the biggest risks of having gaps in email security is spoofing. Without the necessary protocols in place, hackers can spoof an organization’s domain, which adds to the legitimacy of their campaign. They could use this to send phishing emails, malware, or carry out a wire fraud scam, for example. Ultimately, the email security protocols we’ve assessed shouldn’t be seen as a recommendation or “good to have,” they should be viewed as being essential for all organizations.”

You can read the research here: https://www.comparitech.com/news/which-industry-country-has-the-worst-email-security-an-analysis-of-5800-domains-for-spf-dmarc-dkim-mta-sts-protocols/

Dawnguard launches platform to build secure cloud systems from day zero, with fresh funding and US office

Posted in Commentary with tags on July 1, 2026 by itnerd

As AI-assisted engineering accelerates how quickly software is designed, written, and shipped, cybersecurity teams are facing a harder problem: risk is being created earlier than traditional tools can see it. Dawnguard announced the public launch of its security architecture automation platform, making it available to organizations looking to design, build, and operate secure cloud-native systems from day zero through production. 

The launch marks the company’s move from enterprise design partnerships into general availability, following a year of platform development and customer validation. Alongside the product launch, Dawnguard announced the opening of its New York City office and an additional $3.3 million in pre-seed funding from existing investor BNVT Capital in the UK, with new participation from Curiosity VC in the Netherlands and eCAPITAL in Germany. The new capital brings Dawnguard’s total funding to more than $6.3 million.

Why this matters now

Cybersecurity has spent decades getting better at detecting, alerting, and responding to threats after systems are already built. That model is under increasing pressure. As software development speeds up, security teams are asked to protect systems that are more complex, more dynamic, and increasingly shaped by AI-generated code and autonomous engineering workflows.

Despite record spending on cybersecurity tools, breaches continue to originate from architectural weaknesses, insecure configurations, and design decisions that cannot simply be patched away. Dawnguard was founded on a simple belief: cybersecurity cannot continue to operate as a reactive industry. True cyber resilience begins at the drawing board, where systems are designed, validated, and deployed securely from the start. 

A new category for the Mythos era

The rise of AI, autonomous systems, and increasingly complex digital infrastructure has created what Dawnguard calls the Mythos Era: an environment where software evolves and is exploited faster than traditional security processes can keep pace. Security teams are overwhelmed by thousands of alerts, fragmented tooling, and endless patch cycles, while attackers increasingly exploit weaknesses embedded in architecture itself.

Dawnguard was built for this shift. Its platform turns secure architecture into deployable infrastructure, enabling organizations to:

  • Design secure and compliant cloud architectures before deployment
  • Automatically generate production-ready Infrastructure as Code
  • Continuously validate that deployed environments remain aligned with approved designs
  • Eliminate security drift between architectural intent and operational reality
  • Enable engineering and security teams to collaborate within a shared architecture workspace

The platform is designed to eliminate the gap between security intent and operational reality. Engineering and security teams work in a shared architecture workspace where designs can be validated, translated into enforceable infrastructure, and checked continuously as systems evolve.

Unlike traditional security products that focus on detecting problems after systems are built, Dawnguard helps organizations prevent insecure patterns from being introduced in the first place. The result is a security model that starts at the drawing board and follows the system into production.

The team 

Dawnguard was founded by cybersecurity veterans from IBM, Microsoft, Amazon, and military cyber operations to challenge the industry’s dependence on reactive security and compliance-driven checkbox exercises. Since launching from stealth, the company has expanded its platform capabilities, strengthened integrations across cloud environments, and worked closely with enterprise design partners to bring security architecture automation into production.

The new funding will accelerate product development, AI-driven architecture intelligence, enterprise go-to-market expansion, and international growth.

The future is design-focused security

Dawnguard’s vision extends beyond improving security workflows. The company aims to establish security architecture as a foundational control layer for modern digital systems, where security, compliance, cost management, resilience, sustainability, performance, and operational excellence are built into infrastructure and the application layer from the moment they are conceived.

As organizations enter the Mythos Era, Dawnguard is betting that the future of cybersecurity will not be defined by faster alerts or longer patch lists. It will be defined by systems that are secure by design, continuously validated, and capable of adapting to an increasingly autonomous world.

Ohio city warns 123,000+ people of data breach that leaked SSNs, financial and medical info

Posted in Commentary with tags on July 1, 2026 by itnerd

Comparitech is reporting that the city of Middletown, Ohio today confirmed it notified 123,791 people of a July 2025 data breach that compromised names, SSNs, financial account info, medical info, health insurance info, addresses, and government-issued IDs. 

The cyberattack disrupted city services including water utility billing, which wasn’t fully restored until months later in January 2026.

Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech

“This attack highlights why government agencies remain a key target for hackers.

First, the case shows just how disruptive these attacks can be, with Middletown only being able to restore its water billing system in January of this year, around six months after the attack took place. Second, governments are often in possession of vast quantities of data. Accessing such data not only gives hackers further leverage to demand a ransom, but it also gives them key data that they can sell on the dark web if negotiations fail. The fact that SafePay posted the City of Middletown to its data leak site suggests ransom negotiations failed (for the data theft at least). 

While government agencies are sometimes prevented from paying ransoms (or have to meet strict conditions in order to pay one, as is the case in Ohio), we saw a case just last month (Murray County in Georgia) where the ransom was paid in order to prevent county data from being published. 

It’s win-win for hackers. Receive a ransom demand to decrypt systems and/or delete data, or sell highly sensitive personal data on the dark web.”

I guess hackers are about to have a field day because they seriously hit the jackpot here. Which illustrates why stopping the bad guys from doing evil things is preferable to getting pwned.

ESET Research investigates Russian-aligned Gamaredon group – new toolset, alliances, and a reliance on legitimate services

Posted in Commentary with tags on July 1, 2026 by itnerd

ESET Research released its latest report on Gamaredon, a Russia-aligned threat actor, and its activity during 2025. The paper analyzes new tools added to its arsenal, significant shifts in how it protects its network infrastructure, and its growing use of legitimate third-party services to hide both command and control (C&C) information and stolen data. Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine. The group’s ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine. Gamaredon’s activities appear to be closely aligned with Russia’s geopolitical objectives, targeting Ukrainian governmental and military institutions to gain an intelligence advantage. 

In early 2025, Gamaredon collaborated with Turla, another Russia-aligned threat actor. This cooperation underscores the potential for coordinated cyberespionage campaigns among Russia-aligned groups, likely to amplify their operational impact. In the past, Gamaredon also collaborated with a threat actor that ESET discovered and named InvisiMole. More broadly, 2025 also provided another example of cooperation and task sharing among Russia-aligned actors: ESET observed the Russia-aligned UAC-0099 group conducting initial access operations and subsequently transferring validated targets to Sandworm for follow-up activity. 

In the second half of the year, Gamaredon shifted more toward larger and more frequent spear phishing campaigns. What changed most noticeably was the tempo. The group was much more active in the second half of the year, when campaigns became both more frequent and larger in scale. Beyond spear phishing, Gamaredon also continued using custom weaponizers for lateral movement. These tools weaponize USB drives, mapped network drives, and even software installers, helping the group spread within or across organizations after the initial compromise.

Gamaredon introduced six new tools in 2025, all written in PowerShell: PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, and PteroEffigy. The standout among the new tools is PteroPaste, which is considerably more complex than the others. It combines a downloader, a USB weaponizer, and a runner component used for persistence and orchestration. Additionally, it resurrected an old VBScript weaponizer – PteroSetup, which first appeared in 2021.

Additionally, Gamaredon operators sought new ways to protect their network infrastructure, with their C&C servers now hidden behind various third-party services such as tunnels, workers, DDNS (dynamic DNS), and PaaS (platform as a service).

One of the most important aspects of Gamaredon’s 2025 operations was its heavy use of so-called dead-drop services. The term comes from traditional espionage – instead of meeting directly, one operative leaves information in a public or hidden location and another retrieves it later. Online, the principle is similar. Rather than embedding the real malicious server directly in malware, operators place that information on a legitimate website or platform, and the malware retrieves it from there. This means that the malware may first contact a public page on a legitimate service, read a hidden or staged value from it, and only then connect to the actual C&C server. In 2025, Gamaredon abused numerous services in this way: Telegram channels, Dropbox, social networks DEV Community, Mastodon, and others.

The other major infrastructure shift ESET observed was on the data-exfiltration side. Gamaredon upgraded two of its flagship file stealers, PteroPSDoor and PteroVDoor, to upload stolen files to S3-compatible cloud storage services – providers that support the Amazon S3 API ((Wasabi, Tebi, and Intercolo), allowing the same tools and code to work across different storage vendors.  At the same time, PteroBox continued to upload files to Dropbox.

Uploading stolen files to cloud storage reduces the need for Gamaredon to maintain its own infrastructure for receiving large amounts of stolen data. It also helps malicious traffic blend in with access to legitimate storage providers. Essentially, Gamaredon increasingly uses third-party services not only to hide where instructions come from, but also to hide where stolen data goes.

For more details about Gamaredon and its activity in 2025, check out the ESET Research blogpost and white paper “Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances,” on WeLiveSecurity.com.

Guest Post: An Update on You Snooze, You Lose: Winning LPEs by Racing Services for RPC Endpoints

Posted in Commentary on July 1, 2026 by itnerd

Authors: Ron Ben Yizhak, SafeBreach Security Researcher

Last August, I shared a blog on my most recent research project called You Snooze, You Lose: RPC-Racer Winning RPC Endpoints Against Services, which I presented at DEF CON 33 (2025). In it, I demonstrated a novel attack technique I developed called Endpoint Mapper (EPM) poisoning—a method of registering a rogue remote procedure protocol (RPC) server ahead of a legitimate one to intercept client connections. I showed how it could be exploited to force a protected process to authenticate a machine account against an attacker-controlled server, enabling domain-wide privilege escalation.

Following that research, I continued investigating the boundaries of EPM poisoning to answer a question I had left open: could the technique be used to escalate from an even weaker starting point? Specifically, could a low integrity process leverage EPM poisoning to break out of its sandbox entirely? The answer turned out to be yes—and the path there involved an obscure scheduled task, a bypassed Windows security mechanism, and an XML injection hidden inside a toast notification.

Below, I’ll first provide a high-level overview of the original research. Next, I’ll explain how I expanded the attack surface to low integrity processes, describe the new vulnerability I discovered in the Data Sharing Service, and share additional EPM poisoning impact discovered by Microsoft. Finally, I’ll cover the vendor response, detection guidance, and directions for further research.

Background on the Original Research

NOTE: This section provides an overview of the original You Snooze, You Lose: RPC-Racer Winning RPC Endpoints Against Services research; readers already familiar with it can skip to the following section.

The Windows RPC protocol is one of the core building blocks of inter-process communication on Windows. When an RPC client needs to find a server by interface universally unique identifier (UUID)—without knowing a specific endpoint—it queries the EPM, which functions similarly to a DNS server: it resolves a UUID to a registered endpoint and connects the client to the first matching server.

This design became the foundation of my research. I set out to determine whether an attack analogous to DNS poisoning could be applied to the EPM—a technique I came to call EPM poisoning. The key discovery was that there is no verification mechanism preventing an unprivileged process from registering a built-in, well-known RPC interface. As long as a rogue server registers an interface before the legitimate service does, the EPM will route clients to the attacker.

To operationalize this finding, I developed two tools:

  • RPC-Recon: Maps RPC interfaces that are not registered at boot and identifies services with delayed or manual startup that could be raced.
  • RPC-Racer, a toolset that registers rogue RPC interfaces and exploits the clients that connect to them.

The primary exploit chain I demonstrated targeted the Storage Service (StorSvc). Because StorSvc is set to delayed start, a scheduled task launched at user log-on can register its interface before the legitimate service. The Delivery Optimization service—which runs as a Protected Process Light (PPL)—connects to StorSvc to retrieve a storage path via the `GetStorageDeviceInfo` method. By controlling the response, I was able to return a network share pointing to an attacker-controlled SMB server, causing the Delivery Optimization service to authenticate to it using the machine account credentials.

This vulnerability can be utilized to execute the attack ESC8. I launched RPC-Racer on a domain controller as a non-administrative user to force it to authenticate with the machine account credentials. From there, I relayed the authentication to the Active Directory Certificate Services (ADCS) web enrollment endpoint, requested a ticket granting tickets (TGT) for the domain controller’s machine account, and used it to dump all domain controller secrets—achieving full domain compromise from a medium integrity process with no administrative privileges.

Microsoft assigned this vulnerability CVE-2025-49760. They fixed it in a patch released on July 8, 2025, that added a security Quality of Service (QOS) check to the StorSvc RPC client so it would only connect to servers running as the local system account.

Taking It Further: Low Integrity Processes as an Attack Surface

After completing the original research, I returned to a question I had set aside: what if we started from an even more restricted position? Most of my original research began as a medium integrity process. But many widely-used applications—browsers, code editors, sandboxed apps—run at low integrity. This is an intentional security design; Microsoft’s documentation explicitly states that escaping low integrity is especially difficult because low integrity processes are prevented from writing to most registry keys, folders, and system components.

To my surprise, however, low integrity processes can still register RPC servers. That alone opened a path worth exploring. The challenge I ran into was that many of the techniques I used in my original research didn’t work from low integrity. Low integrity processes cannot create scheduled tasks, cannot write to the startup folder, and therefore cannot reliably race delayed services at boot. I needed to find a different target—ideally a manual service (not launched at startup) whose RPC interface could be registered at any time, with a client that could be triggered on-demand, and that was unlikely to rigorously validate data received from an assumed-trusted server.

Identifying the Target: Data Sharing Service

After filtering built-in RPC servers based on startup type, the complexity of their interfaces, and the types of data their methods return, one candidate stood out: the Data Sharing Service (DsSvc).

DsSvc acts as a broker for file-path sharing between applications. If we simplify its actions, it holds a basic dictionary of paths to tokens.

When two apps need to exchange a file path, the first app calls `DSSCreateSharedFileToken` to request a token representing the path.

Finally, the second app calls `DSSGetSharedFileName` to retrieve the path the token represents.

.Searching for files that import `dsclient.dll`—the RPC client for DsSvc—led me to several programs. One stood out immediately: PerformanceTraceHandler.dll. This is the core component of the built-in scheduled task RequestTrace.

The RequestTrace Task and the UIPI Bypass

RequestTrace collects diagnostic information from the machine and—unlike most scheduled tasks—it can be started in several ways: via the Task Scheduler COM object, via a Windows Notification Facility (WNF) state change, or by pressing the hotkey combination Win+Shift+Control+T.

The first two methods are blocked for low integrity processes. The Task Scheduler COM object is inaccessible to low integrity, and the `NtUpdateWnfStateData` API call required for the WNF trigger is also restricted. The hotkey, however, presented an interesting opportunity.

Windows uses a security mechanism called User Interface Privilege Isolation (UIPI) to prevent low integrity processes from sending input messages, setting Windows hooks, or injecting keystrokes into higher-integrity processes. UIPI is a critical sandbox boundary. But UIPI blocks input messages—does that include hotkeys? Maybe a combination would work.

I called `SendInput` from a low integrity process to send the Win+Shift+Control+T key combination, and the RequestTrace scheduled task launched successfully using an RPC client connecting to me. This is a meaningful finding in itself: low integrity processes can trigger any scheduled task that has a hotkey-based trigger, which is worth investigating independently as an attack surface.

XML Injection via Toast Notification

This task depends on an option that is turned on by default when installing Windows: the send optional diagnostic data under the Diagnostics & Feedback settings. Once the task starts, it pops a notification to the user indicating data is being collected. This type of notification is called “toast.”

After a short duration, a second toast is presented with actions the user can take.

Once RequestTrace launches—and the second toast is presented—PerformanceTraceHandler assembles a zip file of diagnostic data and prepares to share it with the Feedback Hub application. To do this, it calls `DSSCreateSharedFileToken` on what it believes is the legitimate DsSvc server—but since I registered the interface first, it connects to my rogue server instead. The token I return is appended to a Feedback Hub URI, which is then formatted into an XML document defining the properties of a toast notification shown to the user.

The XML document defines exactly how many buttons will be shown and what will happen when they are clicked. After appending the token we return, the entire URI is formatted into the arguments property between two double quotes, as highlighted.

<toast scenario=”systemDialog”>

    <visual lang=”en-US”>

        <binding template=”ToastGeneric”>

            <text id=”1″>A trace has been successfully saved to

             %%LOCALAPPDATA%%\Traces.</text>

        </binding>

    </visual>

    <actions>

        <action id=”1″ activationType=”Protocol” arguments=”%ws”

         content=”Launch Feedback Hub”/>

        <action id=”2″ activationType=”Background“

         arguments=”verbNotOk”      content=”Dismiss”/>

    </actions>

</toast>

Formatting an attacker controlled string into quotes is very interesting and dangerous. We can close the original double quotes in the format string where the URI is inserted using the highlighted characters. After closing the original double quotes, we can append arbitrary XML data and still keep the XML document valid.

Below is an example of a payload I could inject.

NOTE: On vulnerable builds of Windows, there was a bug that prevented me from setting the action of a button to an executable file. This is why I used a Python script. Since then, however, this bug has been fixed—you can read more about it in our recent research post: Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs.

This adds a button to the toast notification and sets the action to point to any file I want. When the user clicks the injected button, the file is executed with medium integrity—breaking out of the low integrity sandbox entirely.

It’s unbelievable that I could do that! The URI of the Feedback Hub isn’t verified at all before it is formatted into the XML. There is no check for special XML characters because this program completely trusts its RPC server. We just achieved a one-click local privilege escalation from low integrity to medium integrity.

To recap the attack flow:

  1. The attacker starts as a low integrity process and registers a rogue RPC server mimicking DsSvc.
  2. They send Win+Shift+Control+T to indirectly start the RequestTrace scheduled task.
  3. RequestTrace’s PerformanceTraceHandler requests a token from the rogue server.
  4. The attacker returns a crafted token containing the XML injection payload.
  5. PerformanceTraceHandler launches a toast notification based on that XML.
  6. The user sees a notification with a button; clicking it executes the attacker’s file at medium integrity.

Watch the demo.

Vendor Response

When it comes to our original research, SafeBreach is deeply committed to responsible disclosure. In line with that commitment, I disclosed the Data Sharing Service vulnerability to Microsoft on July 14, 2025. It was issued CVE-2025-59200 and a fix was released on October 14th, 2025. As with the StorSvc fix from my previous research, the patch adds a security QOS check to `dsclient.dll,` so the RPC client verifies the server is running with elevated privileges before establishing a connection.

Key Take Aways & Broader Impact

This research exposed some serious security issues, and I believe there are a few lessons that should be noted:

  • The first is that the integrity of servers should be checked in every protocol. Just like SSL-pinning verifies that the certificate is not only valid but uses a specific public key, the identity of an RPC server should be checked. The current design of the EPM doesn’t perform this verification, therefore it must be done by the client.
  • The second is that there is a danger in setting services to delayed start. Software developers of RPC servers should be aware of the implications of launching their programs late in the boot process. Services are often set to delayed start to make the boot process faster, but performance cannot come at the expense of security. Any stage where untrusted code can be executed should be considered unsafe.

In publishing the original EPM poisoning research at DEF CON 33 in August 2025, I described several directions for further investigation—including the Windows Security Center and Windows Defender, both of which interact with RPC interfaces that may be vulnerable to EPM poisoning.

Shortly after the talk, Microsoft independently identified another vulnerable RPC interface: the **Windows Remote Access Connection Manager (RasMan). Hijacking the RPC interface of `rasmans.dll` via EPM poisoning could lead to SYSTEM-level privilege escalation. Microsoft patched this vulnerability (CVE-2025-59230) in October 2025, applying the same fix pattern: adding a security QOS check to the RPC client so that it verifies the server is running with elevated privileges before connecting.

The rapid identification of a third vulnerable component—just months after the original research was published—suggests that EPM poisoning is a productive avenue for finding privilege escalation vulnerabilities across the Windows RPC ecosystem. So far, the patches have addressed specific clients rather than the root cause in the EPM itself, leaving more avenues for manipulation.

For example, an attacker could:

  • Perform man in the middle by forwarding the requests they receive to the original service and filtering out calls to hide their foothold on the machine.
  • Cause a much more sophisticated denial of service. By registering many interfaces and denying the requests, many functionalities will be disabled. Instead of terminating processes or spamming them with packets, an attacker could just register their RPC interface first.
  • Steal credentials. While I reviewed a few services that might be exploited for that, there are probably many more.

Detection

Because these patches address specific RPC clients rather than the EPM itself, EPM poisoning remains a viable technique against other interfaces. Organizations can take steps to detect it, specifically:

  • Monitor RpcEpRegister calls. Security products can use hooking to monitor processes that call `RpcEpRegister` to register known, built-in interfaces. If an unexpected process attempts to register a well-known interface, it should be flagged and blocked.
  • Use Event Tracing for Windows (ETW). The `Microsoft-Windows-RPC` ETW provider logs correlation between process IDs, interface UUIDs, and procedure numbers for RPC connections. These events can be used to detect cases where an unknown process receives an RPC connection on a known interface—the hallmark of EPM poisoning in action.

Further Research

The UIPI bypass demonstrated in this research—triggering a scheduled task via hotkey from a low integrity process—warrants further investigation. Microsoft maintains documentation listing many key combinations and the programs they trigger; it is worth exploring how many of those programs interact with RPC services and whether they can be similarly exploited.

Beyond hotkeys and low integrity, the broader EPM poisoning attack surface remains largely unexplored. There are many delayed and manual services across the Windows RPC ecosystem—this research has only scratched the surface. One particularly interesting target remains the Windows Security Center, which is set to delayed start and is used by Windows Defender. A malicious response to Defender from a rogue RPC server could potentially neutralize it entirely.

Conclusion

This research extended the EPM poisoning technique to low integrity processes, demonstrating that even heavily sandboxed applications can be weaponized to escalate privileges if they can trigger an RPC client connecting to an attacker-controlled server. The Data Sharing Service vulnerability, exploited through an XML injection hidden in a toast notification, shows how trust in RPC server identity—when unverified—can cascade into unexpected and impactful security failures.

To help mitigate the potential impact of these vulnerabilities:

  • All users should apply the patches provided by Microsoft for CVE-2025-49760, CVE-2025-59200, and CVE-2025-59230.
  • Security teams should implement the detection capabilities described above to identify EPM poisoning attempts against unpatched interfaces.

We have also:

  • Provided an updated RPC-Racer toolset via the SafeBreach GitHub repository to enable further research and development.
  • Added original attack content to the SafeBreach platform that enables our customers to validate their environment against the EPM poisoning techniques outlined in this research to significantly mitigate their risk.

For more in-depth information about this research, please:

  • Contact your customer success representative if you are a current SafeBreach customer
  • Schedule a one-on-one discussion with a SafeBreach expert
  • Contact Kesselring PR for media inquiries

About the Researcher

Ron Ben Yizhak (@RonB_Y) is a security researcher at SafeBreach with 10 years of experience. He works in vulnerability research and has knowledge in forensic investigations, malware analysis, and reverse engineering. He previously worked in the development of security products and has been invited to share his research at DEF CON several times.