What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

A Shortcut to Coercion: CVE-2026-32202 and the Windows Shell Incomplete Patch That Handed APT28 a Zero-Click NTLM Harvester

← CVE-Deep-Dive

0 sources verified·11 min read

By Lyrie.ai Cyber Research Division·5/5/2026

TL;DR

A February 2026 Patch Tuesday fix for an APT28-weaponised Windows Shell zero-day (CVE-2026-21510) was incomplete. The incomplete fix left a residual zero-click authentication-coercion path that Akamai researchers discovered and reported as a new vulnerability: CVE-2026-32202. Exploiting it requires nothing more than getting a target to possess a malicious LNK file — no additional clicks, no browser visit, no macro approval. The victim's machine automatically authenticates to the attacker's server over SMB, leaking a Net-NTLMv2 hash that can be relayed or cracked offline. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on April 28, 2026, with a mandatory FCEB patch deadline of May 12, 2026. Active exploitation has been confirmed; attribution traces back to the same Russian GRU-linked group that pioneered the original exploit chain.

Background: The Three-CVE Ghost Train

To understand CVE-2026-32202, you have to trace it back through two earlier bugs that came before it — which means starting in December 2025 and working forward.

December 2025 — APT28 Fires the Opening Shot

Ukraine's CERT-UA documented a wave of attacks against Ukrainian government entities and several EU member-state networks. The weapon of choice: a weaponised Windows Shortcut (.lnk) file, distributed via spear-phishing email. The file exploited two vulnerabilities in tandem:

CVE-2026-21510 (CVSS 8.8) — A protection-mechanism failure in Windows Shell allowing SmartScreen bypass and unsigned remote DLL execution via Control Panel object loading.
CVE-2026-21513 (CVSS 8.8) — A companion protection-mechanism failure in the MSHTML (Trident) framework, also enabling SmartScreen bypass via a crafted network path.

Together, these two flaws formed a double-bypass exploit chain. A single LNK file could load attacker-controlled code from a remote UNC path — effectively executing a remotely hosted DLL with no SmartScreen warning and no Mark of the Web (MotW) prompt to alert the user.

Akamai's threat research team detected this exploit in January 2026 after finding a malicious artifact in the wild. They disclosed both CVEs to Microsoft under responsible-disclosure terms. Microsoft patched both on February 2026 Patch Tuesday — but withheld the full technical root-cause detail for CVE-2026-21510 at Akamai's request, because the researchers had spotted something wrong with the fix.

February 2026 — The Patch That Didn't Patch

Akamai used their internal PatchDiff-AI tooling to analyse the February security update. What they found: Microsoft's fix for CVE-2026-21510 successfully introduced a SmartScreen scan of the .cpl payload's digital signature and origin zone — effectively blocking the remote code execution path. The DLL would now be checked before execution. So far, so good.

But the patch didn't stop Windows from fetching the file in the first place.

When a LNK file's LinkTargetIDList structure encodes a UNC path to a Control Panel (CPL) object — formatted as ::{26EE0668...}\0\{GUID} — Windows Shell's explorer.exe still resolves the UNC path to locate the CPL component. That resolution process triggers an automatic SMB connection to the attacker-controlled server. And SMB connections trigger an automatic NTLM authentication handshake in which the victim's machine transmits its Net-NTLMv2 hash — without any user interaction.

The attack surface changed from "run my malware" to "give me your credentials" — still zero-click, still powerful, and now immune to the February fix.

Akamai disclosed this residual vulnerability to Microsoft. The result: CVE-2026-32202, formally patched as part of April 2026 Patch Tuesday.

Technical Analysis

The Exploit Mechanism in Detail

The original APT28 exploit abused a quirk in how shell32.dll parses LinkTargetIDList binary structures embedded in .lnk files:

1. IDList construction: The malicious LNK file's LinkTargetIDList contains three IDList items:

- IDList #0: A CLSID pointing to the Control Panel COM object ({26EE0668-A00A-44D7-9371-BEB064C98683})

- IDList #1: A representation of "all control panel items"

- IDList #2: An _IDCONTROLW structure embedding a UNC path (e.g., \\attacker.com\share\payload.cpl) as the CPL module path

2. Shell processing: When explorer.exe encounters this LNK, it follows the standard ShellExecute pipeline for CPL objects — parsing the IDList, resolving the CPL path, and contacting the server to load the DLL.

3. Zone bypass: Because the path is expressed as a Control Panel namespace path rather than an ordinary UNC path, the pre-February code skipped the network-zone validation check entirely — no SmartScreen, no MotW, no warning. The February patch added a SmartScreen scan at the point of CPL execution.

4. Residual coercion (CVE-2026-32202): The February patch blocked execution, but not the resolve-and-fetch step. Windows still contacts \\attacker.com via SMB to locate the file. That SMB handshake triggers NTLM authentication: the victim machine sends a Net-NTLMv2 challenge-response to the attacker's server.

The attacker operating the SMB listener captures the hash. It can then:

Be used in NTLM relay attacks against internal services (e.g., Exchange, SharePoint, SMB shares)
Be submitted to offline cracking with tools like Hashcat — with modern GPU clusters able to exhaust common password-spaces in hours

Why "Zero-Click" Matters Here

The term zero-click is often associated with mobile exploits (Pegasus, etc.) where remote code execution requires no user interaction whatsoever. CVE-2026-32202 isn't quite that category — the victim does need to possess the LNK file, which typically means opening a folder containing it in Explorer. But critically, they do not need to double-click it. Merely having Windows Explorer render the directory listing is sufficient for the shell to process the IDList and initiate the outbound SMB authentication. From an attacker's perspective, this degrades the exploitation bar from "user executes payload" to "user receives and stores file."

Delivery vectors include:

Email attachment (direct LNK, or LNK inside an ISO/ZIP/7z archive to bypass MotW)
SharePoint or OneDrive shared link to a folder containing the LNK
USB drop / physical access
Lateral movement within already-compromised networks (place LNK in shared drives)

The Broader Exploit Chain Context

CVE-2026-32202 does not exist in isolation. In the original APT28 campaign, CVE-2026-21510 was chained with CVE-2026-21513 (MSHTML framework bypass). MSHTML, the legacy Trident rendering engine still present in Windows for backward compatibility with HTA files and some Office OLE objects, provided a second pathway to trigger the same namespace-parsing logic via a different attack surface.

The full kill chain documented by CERT-UA and Akamai:

Phishing email
  → Malicious LNK attachment
    → CVE-2026-21510: Windows Shell CPL namespace UNC path, SmartScreen bypass → DLL execution
    → CVE-2026-21513: MSHTML namespace path variant, alternate bypass route
      → Attacker DLL loads from UNC share
        → Post-exploitation: reconnaissance, lateral movement, intelligence collection

After the February patch, the RCE was blocked, but the NTLM coercion leg survived. In current exploitation (post-April patch), CVE-2026-32202 represents the residual coercion capability — enough for credential harvesting even if the full chain is broken.

Who's Being Targeted and By Whom

APT28 (Fancy Bear / Forest Blizzard / GruesomeLarch / Pawn Storm) — Russian GRU Main Centre for Special Technologies (GTsST, Unit 26165). The group's original campaign targeted:

Ukrainian government and military agencies (confirmed by CERT-UA)
EU member-state government networks (specific countries not publicly disclosed, but the December 2025 campaign is well-documented)

Separately, Kimsuky (North Korean DPRK-linked, also known as Thallium / Velvet Chollima) has been exploiting CVE-2024-1708 (ConnectWise ScreenConnect path traversal, CVSS 8.4) — the second vulnerability added to KEV in the same April 28 CISA alert — to deploy a new malware variant called ToddlerShark:

ToddlerShark characteristics: Polymorphic, designed for long-term intelligence collection; uses legitimate Microsoft binaries (living-off-the-land) to evade AV/EDR; modifies registry keys to lower defenses; establishes persistence via scheduled tasks.
Context: CVE-2024-1708 was patched in February 2024, but unpatched ScreenConnect deployments remain a standing target. China-linked Storm-1175 has also been exploiting legacy ScreenConnect flaws (including CVE-2024-1709, CVSS 10.0, an authentication bypass) to deploy Medusa ransomware.

The convergence of Russian, North Korean, and Chinese threat actors all actively exploiting Windows and remote-access tool vulnerabilities in the same CISA KEV batch is a signal: credential-harvesting and remote-access infrastructure compromise are the common thread, regardless of nation-state origin.

Indicators of Compromise (IOCs)

Based on published Akamai, CERT-UA, and open-source reporting:

| Type | Value | Notes |

|---|---|---|

| MITRE Technique | T1204.001 | Malicious link execution |

| MITRE Technique | T1187 | Forced authentication (NTLM coercion) |

| MITRE Technique | T1566.001 | Spear-phishing attachment |

| MITRE Technique | T1055 | Process injection (post-exploitation) |

| MITRE Technique | T1547.001 | Registry run-key persistence (ToddlerShark) |

| File type | .lnk with embedded LinkTargetIDList containing CLSID {26EE0668-A00A-44D7-9371-BEB064C98683} | Indicator of CPL namespace abuse |

| Network pattern | Outbound SMB (TCP 445) to external / non-corporate IPs from workstations | NTLM coercion traffic |

| Network pattern | NTLM challenge-response packets to non-domain IPs | Credential leak signal |

| Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run modifications | ToddlerShark persistence |

| CVE chain | CVE-2026-21510 + CVE-2026-21513 + CVE-2026-32202 | APT28 Windows Shell trilogy |

| CVE chain | CVE-2024-1708 + CVE-2024-1709 | ScreenConnect exploit pair |

Lyrie Take

CVE-2026-32202 is a textbook example of a patch that solved the stated problem while leaving the underlying attack surface intact. Microsoft correctly identified the RCE vector and blocked DLL execution without signature validation. But the threat model for this class of vulnerability — Windows Shell namespace parsing via LNK files — extends beyond code execution: authentication coercion is a first-class attack outcome, and patching the execution path without also sanitising the network-resolution path left defenders with a false sense of closure.

From a threat-modelling perspective, this is the "partially-closed door" problem. The defender believes the window is locked; the attacker knows the door is still open a crack. APT28, a GRU unit with decades of Windows internals expertise, would have recognised this residual attack surface as soon as the February patch dropped. The fact that Akamai's researchers found it first and disclosed responsibly is a credit to the external research community — and a reminder that vendor patch analysis by independent researchers consistently catches things internal patch reviews miss.

The NTLM coercion angle deserves specific emphasis. In 2026, NTLM relay and hash-cracking are not novel — they've been in attacker playbooks for over a decade. But organisations continue to leave NTLM authentication enabled across their networks because disabling it breaks legacy systems. Every new credential-coercion CVE is therefore an amplifier on an already-existing structural weakness. Until NTLM is fully deprecated and replaced with Kerberos / modern auth across the Windows ecosystem, this class of vulnerability will recur.

For Lyrie's detection capabilities: LNK files with embedded CPL namespace paths pointing to UNC shares are an anomaly that modern EDR and file-integrity systems can flag on ingest. The outbound SMB coercion is also detectable at the network layer — any workstation initiating an SMB session to a non-corporate external IP, especially with NTLM handshake traffic, is a high-confidence alert.

Defender Playbook

Immediate (within 24 hours)

1. Apply April 2026 Patch Tuesday — CVE-2026-32202 is fixed in the April update. If your patching cycle is lagging, this is an emergency pull-forward. FCEB deadline is May 12, 2026.

2. Block outbound SMB at the perimeter — TCP/UDP 445 and 139 should never egress from workstations to non-internal IPs. If this traffic is flowing, you have bigger problems than CVE-2026-32202. Add explicit deny rules on your perimeter firewall and NGFW.

3. Enable SMB signing and require it — Even if a coerced NTLM handshake occurs, SMB signing prevents relay attacks. Set RequireSecuritySignature = 1 via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options).

4. Audit NTLM usage — Use Windows Event ID 4624 (Logon Type 3, NTLM package) and Netlogon debug logging to baseline NTLM usage in your environment. Identify any legacy systems requiring NTLM and plan migration to Kerberos. Consider enabling NTLM restriction policies (Network Security: Restrict NTLM) where feasible.

5. Hunt for suspicious LNK files — Search endpoint file-system telemetry for .lnk files in user download directories, email attachment landing zones, and recently-synced OneDrive/SharePoint folders. Alert on any LNK file with an embedded LinkTargetIDList containing the Control Panel CLSID {26EE0668-A00A-44D7-9371-BEB064C98683} pointing to a UNC path.

Short-term (within one week)

6. Deploy network IDS rules for NTLM authentication to external IPs — Snort/Suricata rules detecting NTLM NEGOTIATE/CHALLENGE/AUTHENTICATE sequences destined for non-RFC1918 addresses. Alert priority: critical.

7. Patch ConnectWise ScreenConnect to version 23.9.8+ if you haven't — CVE-2024-1708 (CVSS 8.4) is being actively weaponised by Kimsuky for ToddlerShark deployment. This flaw is two years old and should not still be unpatched in production.

8. Review exposed RMM/remote-access infrastructure — Storm-1175 is deploying Medusa ransomware through legacy ScreenConnect flaws. Audit all remote management tooling for unpatched versions, unusual scheduled tasks, and registry persistence keys matching the ToddlerShark profile.

9. Enable Credential Guard (Windows 11 / Server 2025 where supported) — Virtualisation-based security (VBS) isolates NTLM hashes in a protected environment, making relay attacks significantly harder even if coercion succeeds.

10. Threat-hunt for APT28 TTPs — If you operate in sectors targeted by APT28 (government, defence, energy, EU-adjacent organisations), run a backward-looking hunt for LNK-initiated outbound SMB from December 2025 forward. The original campaign predates the CVE disclosure.

Strategic

11. Accelerate NTLM deprecation planning — Microsoft has published a deprecation roadmap for NTLMv1 (already blocked by default in modern Windows). NTLMv2 deprecation is in progress but incomplete. Organisations should inventory NTLM dependencies (legacy apps, printers, NAS devices, domain trusts) and begin migration to Kerberos and modern-auth alternatives now.

12. Require signed, attribute-controlled email attachments — LNK files distributed via phishing are the delivery vector for the entire APT28 chain. Anti-phishing controls that strip or sandbox .lnk, .iso, .7z, and .zip attachments from external senders significantly reduce initial-access risk.

Sources

1. Akamai Security Research: "A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202" — https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202

2. The Hacker News: "Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202" — https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html

3. The Hacker News: "CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV" — https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html

4. CISA KEV Alert: "CISA Adds Two Known Exploited Vulnerabilities to Catalog" — https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog

5. SecurityOnline: "CISA Sounds the Alarm: State-Sponsored Hackers Weaponize New Windows and ScreenConnect Flaws" — https://securityonline.info/cisa-kev-catalog-kimsuky-apt28-exploitation-cve-2024-1708-cve-2026-32202/

6. The Register: "Microsoft patch fell short. New Windows flaw exploited" — https://www.theregister.com/2026/04/29/microsoft_zero_click_exploit

7. CERT-UA Advisory: APT28 Campaign Targeting Ukraine, December 2025 — https://cert.gov.ua/article/6287250

8. Microsoft Security Advisory CVE-2026-32202 — https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202

Lyrie.ai Cyber Research Division — Senior Analyst Desk