On August 10, 2025, The Hacker News disclosed a new attack technique called Win-DDoS, developed by SafeBreach researchers Or Yair and Shahak Morag, and presented at DEF CON 33 The Hacker News+1. This method exploits vulnerabilities in RPC and LDAP to turn public Windows domain controllers (DCs) into powerful DDoS bots. Attackers manipulate the LDAP referral process to direct these vulnerable servers to overwhelm victim targets—without needing malware, credentials, or leaving traces The Hacker News+1.

SafeBreach uncovered four DoS vulnerabilities: three that can be triggered remotely by unauthenticated attackers, and one that only requires limited user privileges Help Net Security. Notably, CVE-2025-32724 enables memory exhaustion in LSASS, enabling DCs to flood targets with traffic Help Net Security.

Researchers emphasize that this attack disrupts traditional enterprise threat models—even internal systems can be weaponized for DDoS without actual compromise or code execution Help Net Security.

Recommendation: Microsoft issued patches between April and July 2025. Organizations must apply these patches immediately, secure both public-facing and internal infrastructure, and implement effective detection and mitigation strategies to defend against such exploitation Help Net SecurityThe Hacker News.