CVE-2026-32202: APT28 Exploits Zero-Click Windows Shell Flaw to Steal NTLM Credentials

A zero-click credential theft vulnerability in Windows Shell — CVE-2026-32202 — is being actively weaponized by Russia's APT28 group to silently harvest NTLM authentication hashes from targets across Europe and the Middle East. The flaw, which stems from an incomplete patch for a previously known zero-day, requires no user interaction whatsoever: simply rendering a malicious .lnk file in Windows Explorer is enough to leak domain credentials to an attacker-controlled server.

How CVE-2026-32202 Enables Zero-Click Credential Theft

The vulnerability exploits a fundamental behavior in Windows Shell: when the operating system encounters a shortcut (.lnk) file containing a UNC path, it automatically attempts to resolve that path via SMB. During this resolution, Windows initiates an NTLM authentication handshake with whatever server the UNC path points to. An attacker who controls that server receives the victim's Net-NTLMv2 hash without the user ever opening, executing, or even clicking the malicious file. The hash is transmitted the moment Windows Explorer renders the file's icon in a folder view, a network share, or a USB drive listing.

Akamai's security research team confirmed that CVE-2026-32202 is a direct result of an incomplete fix for an earlier zero-day (CVE-2026-21513). Microsoft's April 2026 patch addressed the immediate exploitation vector but failed to fully remediate the underlying NTLM coercion mechanism, leaving a second attack path open. Making matters worse, Microsoft initially omitted the "Exploited" flag from the advisory — a mistake that was only corrected on April 27 after CISA intervened.

APT28's Campaign: From NTLM Hash to Full Domain Compromise

APT28 — also tracked as Fancy Bear, Forest Blizzard, and Pawn Storm — has been chaining CVE-2026-32202 with CVE-2026-21513 in campaigns that began targeting Ukrainian and EU government networks in late 2025. The attack chain is elegantly simple: distribute .lnk files via spear-phishing or by placing them on publicly accessible network shares, then collect the resulting NTLM hashes. Once captured, these hashes can be used in two devastating ways: NTLM relay attacks that authenticate to internal services like SharePoint, Exchange, and file servers in real time, or offline brute-force cracking that recovers plaintext passwords for persistent access.

The group has used this technique to move laterally into Microsoft 365 environments, on-premises SharePoint sites, and sensitive file archives. Because the initial credential theft is completely silent, victims often discover the compromise only after significant data exfiltration has already occurred. This is not a theoretical risk — CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog and set a mandatory remediation deadline for all U.S. federal agencies.

Why Saudi Financial Institutions Are Particularly Exposed

NTLM remains deeply embedded in the authentication infrastructure of many Saudi financial institutions. Legacy banking applications, internal portals, and older Active Directory configurations frequently rely on NTLM as a fallback authentication protocol, even when Kerberos is the primary mechanism. The zero-click nature of CVE-2026-32202 means that a single malicious .lnk file placed on an internal network share — or received as an email attachment that triggers a preview pane render — can compromise domain credentials without any security awareness training being able to prevent it.

SAMA's Cyber Security Framework (CSCC) explicitly requires financial institutions to implement controls against credential theft and lateral movement under domains 3.3 (Identity and Access Management) and 3.4 (Application Security). The NCA Essential Cybersecurity Controls (ECC) reinforces this through controls 2-4 (Network Security Management) and 2-6 (Vulnerability Management), mandating timely patching and network segmentation to limit the blast radius of credential compromise. Any institution still running unpatched Windows systems with NTLM enabled is simultaneously violating both frameworks.

Detection: Identifying NTLM Coercion in Your Environment

Traditional endpoint detection tools may not flag CVE-2026-32202 exploitation because no executable code runs on the victim machine — the attack operates entirely through legitimate Windows Shell behavior. Security teams need to focus on network-level detection instead. Monitor for outbound SMB connections (TCP port 445) to external IP addresses or unknown internal hosts, particularly from workstations that should not be initiating SMB sessions. Windows Event ID 4648 (logon with explicit credentials) and Event ID 4624 Type 3 (network logon) entries pointing to unfamiliar servers are strong indicators of NTLM relay activity.

Deploy rules in your SIEM to alert on .lnk files appearing in unusual locations such as email attachment directories, temporary folders, or network shares that are writeable by non-administrative accounts. EDR solutions should be configured to monitor for lnk file creation events where the target path contains a UNC reference to an external or suspicious IP address. Organizations running Microsoft Defender for Endpoint should verify that the specific detection rule for CVE-2026-32202 is active and not suppressed by policy exceptions.

Recommendations for Immediate Action

1. Apply KB5036893 immediately: Microsoft's April 2026 cumulative update addresses CVE-2026-32202. Prioritize all domain-joined Windows workstations and servers, especially those in financial trading floors, treasury operations, and executive offices where credential value is highest.
2. Restrict outbound NTLM traffic: Configure Group Policy to restrict NTLM authentication to approved internal servers only. Set Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers to "Deny all" and create explicit exceptions only for verified internal services.
3. Enable EPA and channel binding: Extended Protection for Authentication (EPA) and channel binding prevent NTLM relay attacks by tying the authentication to the specific TLS channel. Enable these on all IIS, Exchange, ADFS, and SharePoint servers.
4. Block outbound SMB at the perimeter: Ensure TCP 445 and TCP 139 are blocked on all egress firewall rules. This single control eliminates the external exfiltration path for NTLM hashes regardless of the specific vulnerability being exploited.
5. Accelerate Kerberos-only migration: Begin planning the deprecation of NTLM across your Active Directory environment. Microsoft has provided guidance through its NTLM deprecation roadmap — Saudi financial institutions should treat this as a compliance requirement under SAMA CSCC domain 3.3.
6. Hunt retroactively: Query your SIEM for outbound SMB connections to external IPs over the past 120 days. Given that APT28's campaign began in December 2025, any institution that was unpatched during that window should assume potential compromise and initiate a credential rotation for affected accounts.

Conclusion

CVE-2026-32202 is a stark reminder that credential theft does not require sophisticated malware or user mistakes — sometimes a shortcut file and an incomplete patch are enough. APT28's exploitation of this flaw demonstrates that nation-state actors are actively targeting the authentication layer, and the zero-click nature of the attack renders traditional user awareness controls ineffective. For Saudi financial institutions, where NTLM often persists in legacy systems, this vulnerability demands immediate patching, aggressive network monitoring, and a serious commitment to NTLM deprecation.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes NTLM exposure analysis and credential theft readiness evaluation.