The lack of proper patching, it says, resulted in a new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that can be exploited without user interaction to steal credentials via auto-parsed LNK files.“We then found an incomplete patch and disclosed it to Microsoft. The new vulnerability, CVE-2026-32202, caused the victim to authenticate the attacker’s server without user interaction (zero click),” Akamai says.Microsoft released fixes for CVE-2026-32202 as part of theApril 2026 patches. Its advisoryflagsthe security defect as exploited, but does not detail the observed attacks.According to Akamai, these vulnerabilities were likely exploited by APT28 in December 2025,in attacksagainst Ukraine and European Union countries.As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE).“APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains.Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
“We then found an incomplete patch and disclosed it to Microsoft. The new vulnerability, CVE-2026-32202, caused the victim to authenticate the attacker’s server without user interaction (zero click),” Akamai says.Microsoft released fixes for CVE-2026-32202 as part of theApril 2026 patches. Its advisoryflagsthe security defect as exploited, but does not detail the observed attacks.According to Akamai, these vulnerabilities were likely exploited by APT28 in December 2025,in attacksagainst Ukraine and European Union countries.As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE).“APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains.Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Microsoft released fixes for CVE-2026-32202 as part of theApril 2026 patches. Its advisoryflagsthe security defect as exploited, but does not detail the observed attacks.According to Akamai, these vulnerabilities were likely exploited by APT28 in December 2025,in attacksagainst Ukraine and European Union countries.As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE).“APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains.Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
According to Akamai, these vulnerabilities were likely exploited by APT28 in December 2025,in attacksagainst Ukraine and European Union countries.As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE).“APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains.Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE).“APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains.Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
“APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains.Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.Related:Russia’s APT28 Targeting Energy Research, Defense Collaboration EntitiesRelated:Organizations Warned of Exploited Windows, Adobe Acrobat VulnerabilitiesRelated:Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Source: SecurityWeek
