APT28 Exploits Windows Shell Flaw to Steal NTLMv2 Hashes in Zero-Click Attacks

The attack mechanism behind CVE-2026-32202 exploits a fundamental behavior of the Windows Shell: when a user opens a folder in Windows Explorer, the Shell automatically processes shortcut (.lnk) files present in that folder to render their thumbnail icons. This processing occurs without any user action beyond navigating to the directory.

APT28 crafts malicious LNK files containing a UNC path — a network address in the format \\attacker-server\share\icon.ico — as the icon source. When Windows Explorer attempts to load this icon, shell32.dll initiates an outbound Server Message Block (SMB) connection on TCP port 445 to the attacker-controlled server. SMB connections inherently trigger NTLM authentication negotiation, during which Windows automatically sends the victim's NTLMv2 hash to the remote server — including the username, domain, and cryptographic material derived from the user's password — without any prompt or visible indication to the user.

The attacker's server captures this NTLMv2 hash in real time. From that point, two attack paths open. First, NTLM relay: the attacker relays the authentication attempt immediately to a target server (Exchange, SharePoint, domain controller), impersonating the victim without ever cracking the password. Second, offline cracking: the captured NTLMv2 hash can be submitted to GPU-accelerated cracking tools. Common passwords fall in minutes; even complex passwords can yield to sustained cracking efforts.

The zero-click nature stems from the Shell's automatic icon rendering behavior. Delivery mechanisms are broad: the malicious LNK file can arrive via phishing email attachment, USB drive, or placement on a network share that legitimate users are likely to browse. The [CVE-2023-23397 Outlook NTLM hash theft](/blog/cve-2023-23397-outlook-ntlm-explained) attack documented in 2023 used a similar NTLM coercion technique via calendar invites — CVE-2026-32202 represents APT28 returning to the same fundamental technique via a different delivery vector.

CVE-2026-32202 is not a standalone discovery — it is the direct consequence of a February 2026 patch that fixed the most visible part of a two-component vulnerability while leaving the authentication coercion mechanism intact.

APT28 originally weaponized a zero-day tracked as CVE-2026-21510 (CVSS 8.8) — a protection mechanism failure in Windows Shell that enabled full remote code execution when a victim opened a specially crafted folder. The group deployed this zero-day in a campaign targeting Ukrainian government entities and EU nations beginning in December 2025, chaining it with CVE-2026-21513 (CVSS 8.8), a similar MSHTML Framework protection failure, to maximize the attack surface. Microsoft patched both vulnerabilities in February 2026 Patch Tuesday.

Akamai Security Research subsequently analyzed the February 2026 fix and identified that while the RCE vector was closed, the underlying UNC path processing behavior that Windows Explorer performs during thumbnail rendering was not fully constrained. Specifically, the patch did not prevent shell32.dll from initiating outbound SMB connections to attacker-controlled UNC paths embedded in LNK files. This authentication coercion path — the mechanism APT28 had been using for NTLMv2 credential theft even prior to the RCE capability — survived the fix intact.

Akamai disclosed this bypass as CVE-2026-32202, which Microsoft initially published on April 14 with a CVSS score of 4.3 reflecting only the confidentiality-limited scope of NTLMv2 hash exposure. Microsoft revised the advisory on April 27 to confirm active exploitation and acknowledge the APT28 attribution, completing the timeline from APT28's original zero-day to the residual credential theft capability that organizations must now patch with the April 2026 update. Organizations that applied the February 2026 fix for CVE-2026-21510 but have not yet deployed [this month's Patch Tuesday updates](/blog/patch-tuesday-april-2026) remain exposed.

CVE-2026-32202 affects a wide range of Windows desktop and server releases. The NVD advisory identifies 14 or more distinct version-build combinations as vulnerable, spanning the consumer and enterprise install base. Any system that has not applied the April 2026 Patch Tuesday cumulative update is exposed.

Affected desktop versions include Windows 10 versions 1607, 1809, 21H2, and 22H2, and Windows 11 versions 23H2, 24H2, 25H2, and 26H1. On the server side, Windows Server 2012 R2 and subsequent server releases are affected. Each version has a specific build number cutoff — for example, Windows 10 version 1607 builds up to and including 10.0.14393.9060 are vulnerable; the April 2026 cumulative update provides the remediated build.

This breadth matters for enterprise patch management: organizations running mixed Windows 10 and Windows 11 estates, or maintaining legacy Windows Server 2012 R2 infrastructure that has not yet been migrated, must validate patch status across all version tracks. Windows Update will serve the correct cumulative update for each version automatically, but organizations using WSUS, SCCM, or third-party patch management tools must verify that April 2026 cumulative updates have been distributed and installed — not merely approved.

The attack requires no privileged access and no exploit kit. The only requirement is that the attacker can place a file in a location that the victim will navigate to in Windows Explorer. Network shares, email attachments, and removable media all provide viable delivery paths. Remote workers accessing corporate file shares are a particularly exposed population if SMB is not blocked at the network perimeter.

APT28 — formally attributed to Russia's GRU military intelligence directorate — has maintained NTLM-based credential theft as a core operational technique across multiple campaigns and CVEs. The group's December 2025 campaign exploiting CVE-2026-21510 and CVE-2026-21513 targeted Ukrainian government organizations and EU member state institutions, consistent with APT28's documented focus on intelligence collection from NATO-aligned and post-Soviet governments.

NTLM credential theft is strategically valuable for APT28 because it bypasses the challenge of password guessing entirely. A captured NTLMv2 hash from a high-value account — a government minister's email account, a defense contractor's Active Directory credentials — provides immediate, authenticated access to internal systems via NTLM relay before any password cracking is necessary. APT28 has a documented history of targeting Microsoft Exchange servers specifically for email access through NTLM relay, consistent with an intelligence collection mission prioritizing diplomatic and defense communications.

The Russia-Ukraine conflict context gives the December 2025 – April 2026 campaign timeline operational significance. APT28's sustained focus on credential theft infrastructure suggests ongoing collection operations against European government targets that predate and will outlast any individual CVE. Organizations supporting Ukraine aid operations, EU policy development, or NATO planning functions should treat CVE-2026-32202 as an active, targeted threat — not a background noise vulnerability that can wait for the next patching cycle.

Detection of CVE-2026-32202 exploitation requires network-layer and endpoint telemetry. The key behavioral signal is outbound SMB traffic from Windows Shell processes to external IP addresses — a pattern that should never occur in a correctly configured enterprise environment.

At the network layer, monitor for TCP port 445 connections originating from Windows workstations to external IP addresses not in your organization's known-good IP ranges. This traffic will appear to originate from the Windows Explorer process or from smss.exe / shell32.dll in process-level network monitoring. An NDR or NGFW that logs connection-level metadata will capture this. FortiGuard has published IPS signature MS.Windows.CVE-2026-32202.Shell.Spoofing for automated network-layer detection.

At the endpoint, focus on Windows Event Log telemetry. Event ID 4624 (Successful Logon) with Logon Type 3 (Network) and Authentication Package NTLM, where the Workstation Name does not match expected internal servers, indicates a successful NTLMv2 authentication to an unexpected destination. Event ID 4625 (Failed Logon) with the same parameters indicates an attempted relay that failed. Enable Security audit policy for Logon Events on all workstations — not just domain controllers — to capture this telemetry at the source.

In email security gateways, flag and quarantine inbound messages containing .lnk file attachments or archive files containing .lnk files — LNK files are rarely legitimate email attachments and are a consistent APT28 delivery mechanism.

Remediation of CVE-2026-32202 has a single definitive step — apply the April 2026 Patch Tuesday cumulative update — but defense-in-depth controls should be implemented in parallel to reduce exposure across any systems where patching is delayed.

CVE-2026-32202 Windows Shell spoofing gives APT28 a zero-click path to NTLMv2 credential theft from every unpatched Windows 10, Windows 11, and Windows Server system — and active exploitation was confirmed yesterday. Apply the April 2026 Patch Tuesday update to all Windows endpoints today, block outbound SMB at the perimeter now, and enable Extended Protection for Authentication on all Microsoft services this week. The patch exists; the only variable is whether your systems receive it before APT28's LNK files do.