Skip to content
.ca
sign in
4 minhigh

A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202

Akamai researchers discovered that Microsoft's patch for an APT28 zero-day (CVE-2026-21510) was incomplete, resulting in a new zero-click authentication coercion vulnerability (CVE-2026-32202). While the patch successfully mitigated remote code execution by adding SmartScreen verification, it failed to prevent Windows Explorer from initiating an SMB connection to resolve UNC paths during icon extraction, allowing attackers to steal Net-NTLMv2 hashes without user interaction.

Conf:highAnalyzed:2026-04-24reports

Authors: Akamai Researchers

ActorsAPT28Fancy Bear
APT28LNKNTLM CoercionCVE-2026-32202Zero-Click

Source:Akamai

IOCs · 1
  • filename
    \\attacker.com\share\payload.cplConceptual UNC path used in the LNK file to point to the attacker's remote payload, triggering outbound SMB connections.

Key Takeaways

  • An incomplete patch for APT28's CVE-2026-21510 resulted in a new zero-click authentication coercion vulnerability (CVE-2026-32202).
  • The original exploit used a malicious LNK file with a UNC path to bypass SmartScreen and load a remote DLL as a Control Panel (CPL) object.
  • Microsoft's initial patch added SmartScreen verification but only at the end of the launch chain, leaving earlier path resolution steps vulnerable.
  • Navigating to a folder containing the malicious LNK triggers Windows Explorer to resolve the UNC path for icon extraction, initiating an SMB connection.
  • This zero-click SMB connection forces an NTLM authentication handshake, exposing the victim's Net-NTLMv2 hash to the attacker.

Affected Systems

  • Windows OS
  • Windows Explorer (explorer.exe)
  • shell32.dll

Vulnerabilities (CVEs)

  • CVE-2026-21510
  • CVE-2026-21513
  • CVE-2026-32202

Attack Chain

Threat actors deliver a weaponized LNK file containing a LinkTargetIDList with a UNC path pointing to a malicious CPL payload. When the victim navigates to the folder containing the LNK file, Windows Explorer automatically attempts to extract the icon for the CPL object using the CControlPanelFolder::GetUIObjectOf function. This triggers PathFileExistsW to resolve the UNC path, initiating an SMB connection to the attacker's server. The victim's machine automatically performs an NTLM authentication handshake, exposing the Net-NTLMv2 hash to the attacker for relay attacks or offline cracking.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions can monitor outbound network connections from explorer.exe, but the internal LNK parsing and COM object instantiation occur natively within shell32.dll, which may lack granular telemetry. Network Visibility: High — Outbound SMB traffic (port 445) to external or untrusted IP addresses is highly visible at the network perimeter. Detection Difficulty: Moderate — Detecting outbound SMB to the internet is straightforward, but distinguishing malicious LNK parsing from legitimate internal network share access requires filtering out RFC1918 IP space.

Required Log Sources

  • Sysmon Event ID 3 (Network Connection)
  • Windows Security Event ID 4624 (Logon)
  • Firewall Logs (Port 445 traffic)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for explorer.exe initiating outbound network connections on port 445 to non-RFC1918 IP addresses, indicating potential NTLM coercion via malicious LNK files.Process and Network connection logs (e.g., Sysmon Event ID 3)Credential AccessLow
Search for LNK files created on disk that contain the Control Panel CLSID {26EE0668-A00A-44D7-9371-BEB064C98683} combined with a UNC path.File creation logs and LNK file parsing utilitiesExecutionMedium

Control Gaps

  • SmartScreen validation is bypassed because the SMB connection occurs during icon extraction before the ShellExecute trust verification phase.
  • Mark of the Web (MotW) is not validated prior to the UNC path resolution.

Key Behavioral Indicators

  • explorer.exe making outbound SMB connections
  • LNK files with embedded UNC paths in the LinkTargetIDList

False Positive Assessment

  • Low for external SMB connections, as legitimate outbound SMB to the internet is rare. Medium for internal LNK file parsing, as legitimate network shares are frequently accessed via LNK files.

Recommendations

Immediate Mitigation

  • Apply the latest Microsoft security updates that address CVE-2026-32202.
  • Block outbound SMB (port 445) traffic at the perimeter firewall to prevent NTLM hash exfiltration.

Infrastructure Hardening

  • Restrict NTLM authentication across the domain by adding privileged users to the Protected Users security group.
  • Disable NTLMv1 and NTLMv2 if Kerberos is fully supported and configured.

User Protection

  • Implement EDR rules to block explorer.exe from initiating SMB connections to external IP addresses.
  • Configure Windows to prevent automatic icon extraction for network files if possible.

Security Awareness

  • Educate users on the risks of extracting archives from untrusted sources, noting that simply viewing a folder can trigger an attack.

MITRE ATT&CK Mapping

  • T1187 - Forced Authentication
  • T1559.001 - Inter-Process Communication: Component Object Model
  • T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  • T1555.004 - Credentials from Password Stores: Windows Credential Manager

Related