APT28 Is Actively Exploiting CVE-2026-32202 — A Zero-Click Windows Shell Flaw That Steals NTLM Hashes
Russia's Fancy Bear is weaponizing a Windows Shell spoofing zero-day to harvest Net-NTLMv2 credential hashes without any user interaction. Microsoft patched it in April Patch Tuesday alongside 166 other CVEs — install the update now.
APT28 — the Russian intelligence-linked threat actor known as Fancy Bear — is actively exploiting CVE-2026-32202, a Windows Shell spoofing vulnerability patched in Microsoft’s April 2026 Patch Tuesday. The flaw lets attackers steal Net-NTLMv2 credential hashes from Windows machines with zero user interaction. Opening a folder that contains a malicious .lnk file is enough to trigger the leak.
What the vulnerability does
CVE-2026-32202 carries a CVSS base score of 4.3 in isolation, but the real danger is what happens downstream. A crafted LNK file forces Windows to auto-open a UNC path, initiating an outbound SMB connection to an attacker-controlled server. That handshake leaks the machine’s Net-NTLMv2 hash, which can then be relayed to authenticate against other systems on the same network — or cracked offline and used to impersonate the victim account entirely.
The zero-click nature is what makes it operationally dangerous in enterprise environments. No email attachment to open, no macro to enable, no phishing link to click. Dropping the file into a shared folder is sufficient.
This is an incomplete patch for CVE-2026-21510, which Microsoft had already addressed in February 2026. APT28 found the gap and resumed exploitation almost immediately, chaining CVE-2026-32202 with CVE-2026-21513 in multi-stage intrusions.
Active since December 2025
Microsoft’s threat intelligence teams and independent researchers have tracked APT28 using this flaw in campaigns targeting Ukrainian government agencies and European Union institutions since at least December 2025. The group uses NTLM hash relay as an initial pivot to gain access to Kerberos-protected environments before deploying secondary payloads.
April’s Patch Tuesday fixed 167 CVEs in total, including a second zero-day under active exploitation: CVE-2026-32201, a Remote Code Execution flaw in SharePoint Server. Microsoft has not disclosed how many endpoints have been compromised in the Windows Shell campaign specifically.
What to do
Install the April 2026 cumulative update for Windows immediately. This is not optional if your environment uses shared network drives, NTLM authentication, or Active Directory.
Alongside patching:
- Block outbound SMB (TCP 445) at the network perimeter to prevent hash relay to external servers
- Enable Extended Protection for Authentication (EPA) on every service that accepts NTLM credentials
- Audit LNK files on shared drives — recently created shortcuts with unusual UNC targets warrant immediate investigation
- Deploy Microsoft Defender for Endpoint detections for LNK-based UNC coercion if you haven’t already; signatures updated in the April intelligence refresh
NTLM credential relay has been a reliable lateral movement technique for over a decade. CVE-2026-32202 makes it zero-click, and APT28 has months of operational practice with this specific variant. The patch is available. There is no acceptable reason to delay it.