CISA Orders Emergency Patch for Zero-Click Windows Shell Flaw Tied to APT28

Microsoft's Botched Patch Gave APT28 a Second Bite

CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog on April 28, giving federal civilian agencies until May 12 to patch [1]. The flaw is a zero-click Windows Shell spoofing vulnerability that leaks NTLM authentication hashes without any user interaction [2]. It exists because Microsoft's February 2026 fix for CVE-2026-21510, a remote code execution bug already being exploited by Russia's APT28, was incomplete [3]. Microsoft shipped a patch in April 2026's Patch Tuesday but initially didn't flag the vulnerability as actively exploited [2][4].

The practical result: APT28, the GRU-linked unit Microsoft tracks as Forest Blizzard, had access to a zero-click credential theft primitive rooted in a patch that was supposed to stop them [5]. This is a significant concern given the threat actor's capabilities and targeting profile.

APT28: The Threat Actor Behind the Exploitation

APT28 (also known as Fancy Bear, Sofacy, and Forest Blizzard) is assessed to be Unit 26165 of Russia's GRU military intelligence agency. The group is responsible for the 2016 DNC breach and years of intrusions against NATO-aligned governments. Their operational tempo against European and Ukrainian targets has been aggressive throughout late 2025 and into 2026.

The original exploit chain used CVE-2026-21510 alongside CVE-2026-21513, an MSHTML framework security bypass rated CVSS 8.8, in a campaign targeting Ukraine and EU nations in December 2025 [7]. Microsoft patched both in February 2026 as actively exploited zero-days [7].

How CVE-2026-32202 Works: Zero-Click Authentication Coercion

Akamai's research team discovered the flaw while analyzing whether Microsoft's February patch for CVE-2026-21510 was complete [3]. It wasn't.

Microsoft's fix successfully blocked the original remote code execution and SmartScreen bypass paths [3]. But it left open an authentication coercion vector. When Windows Explorer renders a folder containing a specially crafted LNK (shortcut) file, the system automatically initiates an SMB connection to an attacker-controlled server [2][3]. This forced authentication sends the victim's NTLM hash to the attacker without the user clicking, opening, or otherwise interacting with the malicious file [3]. Simply browsing to the folder is enough.

The CVSS score is 4.3, which is deceptively low [4]. Microsoft classifies it as a "protection mechanism failure in Windows Shell" that "allows an unauthorized attacker to perform spoofing over a network" [4]. That modest rating masks the real operational impact: captured NTLM hashes enable potential pass-the-hash attacks for lateral movement across networks, and offline cracking can recover plaintext passwords [8][10].

The Exploit Chain in Context

APT28's December 2025 campaign used a layered approach:

1. Initial delivery: Malicious LNK files, likely delivered via spearphishing, containing embedded HTML that communicates with wellnesscaremed.com [7]
2. SmartScreen bypass: CVE-2026-21513 manipulated trust boundaries using nested iframes within the MSHTML framework [7]
3. Code execution: CVE-2026-21510 provided the RCE capability [3]

Microsoft's February patch broke steps 2 and 3. CVE-2026-32202 represents what survived: the ability to coerce authentication (step 1's core mechanism) still works as a standalone zero-click capability [3].

Indicators of Compromise

MITRE ATT&CK Mapping

Detection and Hunting

SMB Traffic Anomalies: The core detection opportunity is outbound SMB authentication to external or unexpected hosts. Monitor for SMB traffic (TCP 445) leaving your network perimeter. Any Windows workstation initiating SMB connections to internet-facing IPs warrants immediate investigation.

LNK File Monitoring: Watch for LNK files appearing in shared folders, especially network shares accessible to multiple users. Sysmon Event ID 11 (FileCreate) filtered for .lnk extensions in shared directories is a starting point. Pay attention to LNK files with embedded URLs or UNC paths pointing to external hosts.

NTLM Relay Indicators: Enable Windows Security Event 4624 (logon) and 4648 (explicit credential logon) auditing. Look for Type 3 (network) logons from unexpected source IPs, particularly where the authentication package is NTLM rather than Kerberos.

Known C2 Domains: Block and alert on DNS queries and network connections to wellnesscaremed.com [7]. Query example for Splunk: index=dns query="*wellnesscaremed.com"

File IOC Sweeps: Hunt for LNK files with suspicious properties across endpoint telemetry.

Analysis

The timeline on this vulnerability is concerning for defenders. APT28 exploited the original flaw chain (CVE-2026-21510/21513) in December 2025. Microsoft patched in February 2026 but left a zero-click authentication coercion path open [3]. That residual vulnerability was then actively exploited before Microsoft shipped a fix in April 2026 [2]. CISA's KEV listing came on April 28 [1].

This pattern, where an incomplete vendor patch creates a new exploitable condition, is not new, but the APT28 connection makes it more serious than a typical patch regression. Russian military intelligence had a working exploit chain, watched one link get partially fixed, and adapted. The CVSS 4.3 rating will cause many organizations to deprioritize this patch. That's a mistake. NTLM hash theft is a gateway to potential full domain compromise in environments that haven't fully transitioned to Kerberos-only authentication, which describes most enterprise networks.

References

1. CISA orders feds to patch Windows flaw exploited as zero-day
2. CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202)
3. A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202 | Akamai
4. Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
5. CVE-2026-32202: APT28 Exploits Zero-Click Windows Shell Flaw to Steal NTLM Credentials
6. Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513 | Akamai
7. Forced Authentication, Technique T1187 | MITRE ATT&CK
8. OS Credential Dumping, Technique T1003 | MITRE ATT&CK
9. Use Alternate Authentication Material: Pass the Hash, T1550.002 | MITRE ATT&CK

Hunt Guide: Hunt Report: APT28/Forest Blizzard Zero-Click Windows Shell Credential Theft Campaign

Hypothesis: If APT28 is exploiting CVE-2026-32202 in our environment, we expect to observe anomalous outbound SMB authentication attempts to external IPs, suspicious LNK files in shared directories, and NTLM authentication events to unexpected destinations in Windows Security and Sysmon logs.

Intelligence Summary: APT28 (Russian GRU Unit 26165) is actively exploiting CVE-2026-32202, a zero-click Windows Shell vulnerability that coerces NTLM authentication without user interaction. This flaw emerged from Microsoft's incomplete patch for CVE-2026-21510 in February 2026, giving the adversary continued access to credential theft capabilities. CISA has mandated federal agencies patch by May 12, 2026.

Confidence: High | Priority: Critical

Scope

• Networks: All Windows 10/11 workstations and Windows Server 2019/2022 systems, particularly those with access to shared network drives
• Timeframe: Initial sweep: December 2025 - present. Ongoing monitoring: 30-day rolling window
• Priority Systems: Domain controllers, file servers hosting shared drives, executive workstations, systems with external network access

MITRE ATT&CK Techniques

T1187 — Forced Authentication (Credential Access) [P1]

APT28 uses malicious LNK files to force SMB authentication to attacker-controlled servers, capturing NTLM hashes without user interaction when Windows Explorer renders the containing folder

Splunk SPL:

index=* ((EventCode=3 AND DestinationPort=445 AND NOT (DestinationIp=10.0.0.0/8 OR DestinationIp=172.16.0.0/12 OR DestinationIp=192.168.0.0/16)) OR (EventCode=4648 AND LogonType=3)) | stats count by src_ip, dest_ip, user | where count > 5

Elastic KQL:

(event.code:3 AND destination.port:445 AND NOT (destination.ip:10.0.0.0/8 OR destination.ip:172.16.0.0/12 OR destination.ip:192.168.0.0/16)) OR (event.code:4648 AND winlog.event_data.LogonType:3)

Sigma Rule:

title: Suspicious Outbound SMB Authentication
id: 8b3f4ed7-8362-49a4-9c47-0b89ae2d69f3
status: experimental
Description: Detects forced SMB authentication attempts to external IPs potentially related to CVE-2026-32202 exploitation
author: RedSheep Security/Stone
date: 2026/04/30
references:
  - https://attack.mitre.org/techniques/T1187/
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4648
    LogonType: 3
  filter:
    - TargetServerName|startswith:
      - '10.'
      - '172.16.'
      - '192.168.'
      - 'localhost'
    - TargetServerName|endswith:
      - '.local'
      - '.lan'
  condition: selection and not filter
falsepositives:
  - Legitimate cloud file sharing services
  - Authorized remote access tools
level: high
tags:
  - attack.credential_access
  - attack.t1187
  - cve.2026-32202

Monitor for SMB traffic (TCP 445) to non-RFC1918 addresses. Tune filter to include your organization's public IP ranges. High false positive rate expected in hybrid cloud environments.

T1547.009 — Boot or Logon Autostart Execution: Shortcut Modification (Persistence) [P2]

APT28 delivers malicious LNK files containing embedded URLs or UNC paths pointing to external hosts, triggering authentication coercion when browsed

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 TargetFilename="*.lnk" (TargetFilename="*\\Users\\*\\Desktop\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Users\\Public\\*") | rex field=TargetFilename "(?<share_path>\\\\\\\\[^\\\\]+\\\\[^\\\\]+)" | where isnotnull(share_path) | stats count by ComputerName, TargetFilename, ProcessName

Elastic KQL:

event.code:11 AND file.path:*.lnk AND (file.path:*\\Users\\*\\Desktop\\* OR file.path:*\\ProgramData\\* OR file.path:*\\Users\\Public\\*)

Sigma Rule:

title: Suspicious LNK File Creation in Shared Locations
id: 43c9d5e2-65b4-4689-8f3c-e4b2e8c6a512
status: stable
Description: Detects creation of LNK files in commonly targeted shared directories
author: Akamai Research (adapted)
date: 2026/04/30
modified: 2026/04/30
references:
  - https://www.akamai.com/blog/security-research/incomplete-patch-apt28s-zero-day-cve-2026-32202
logsource:
  product: windows
  category: file_create
detection:
  selection:
    TargetFilename|endswith: '.lnk'
  selection_paths:
    TargetFilename|contains:
      - '\Users\Public\'
      - '\ProgramData\'
      - '\Desktop\'
      - '\Downloads\'
  filter:
    Image|endswith:
      - '\explorer.exe'
      - '\cmd.exe'
      - '\powershell.exe'
    Image|contains: '\Program Files\'
  condition: selection and selection_paths and not filter
falsepositives:
  - Software installers creating shortcuts
  - User manually creating shortcuts
level: medium
tags:
  - attack.persistence
  - attack.t1547.009
  - apt.apt28

Baseline normal LNK creation patterns in your environment first. Focus on LNK files created by unusual processes or containing external UNC paths.

T1550.002 — Use Alternate Authentication Material: Pass the Hash (Lateral Movement) [P2]

APT28 may use captured NTLM hashes from forced authentication for pass-the-hash attacks to move laterally

Splunk SPL:

index=wineventlog source="WinEventLog:Security" (EventCode=4624 OR EventCode=4648) Logon_Type=3 Authentication_Package="NTLM*" NOT (Logon_Process="NtLmSsp" AND SubjectUserSid="S-1-0-0") | eval suspicious=if(match(Network_Address, "^(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), 0, 1) | where suspicious=1 | stats count by user, Network_Address, Workstation_Name

Elastic KQL:

(event.code:4624 OR event.code:4648) AND winlog.event_data.LogonType:3 AND winlog.event_data.AuthenticationPackageName:NTLM* AND NOT (winlog.event_data.SubjectUserSid:"S-1-0-0")

Sigma Rule:

title: Potential Pass-the-Hash Activity via NTLM
id: f8d98d6c-7e07-4b15-9c26-8b03e2c5e050
status: experimental
Description: Detects potential pass-the-hash activity using NTLM authentication from external or unusual sources
author: RedSheep Security/Stone
date: 2026/04/30
references:
  - https://attack.mitre.org/techniques/T1550/002/
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4624
      - 4648
    LogonType: 3
    AuthenticationPackageName: 'NTLM*'
  filter_local:
    IpAddress:
      - '-'
      - '127.0.0.1'
      - '::1'
  filter_machine:
    SubjectUserSid: 'S-1-0-0'
  condition: selection and not filter_local and not filter_machine
falsepositives:
  - Legitimate remote administration
  - Service accounts with NTLM authentication
level: medium
tags:
  - attack.lateral_movement
  - attack.t1550.002

Correlate with T1187 detections. Look for NTLM logons from IPs that previously appeared as SMB authentication destinations.

T1566.001 — Phishing: Spearphishing Attachment (Initial Access) [P2]

APT28 likely delivers malicious LNK files via spearphishing emails as the initial infection vector

Splunk SPL:

index=email (attachment_name="*.lnk" OR attachment_type="application/x-ms-shortcut") | join sender_ip [search index=threatintel | where ioc_type="ip" AND threat_actor="APT28"] | table _time, recipient, sender, subject, attachment_name

Elastic KQL:

event.module:email AND (file.name:*.lnk OR file.mime_type:"application/x-ms-shortcut")

Cross-reference email attachments with file creation events. LNK files arriving via email are highly suspicious.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

APT28 uses wellnesscaremed.com as C2 infrastructure for callback communications from malicious LNK files

Splunk SPL:

index=dns query="*wellnesscaremed.com" OR index=proxy url="*wellnesscaremed.com*" | stats count by src_ip, query, url | eval threat_score=100

Elastic KQL:

(dns.question.name:*wellnesscaremed.com OR url.full:*wellnesscaremed.com*)

Sigma Rule:

title: APT28 C2 Domain Communication
id: 1a8b3d45-92f7-4231-8a63-73928d6e8f92
status: stable
Description: Detects communication with known APT28 C2 domain wellnesscaremed.com
author: Akamai Research (adapted)
date: 2026/04/30
modified: 2026/04/30
references:
  - https://www.akamai.com/blog/security-research/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
logsource:
  category: dns
detection:
  selection:
    query|contains: 'wellnesscaremed.com'
  condition: selection
falsepositives:
  - Unlikely
level: critical
tags:
  - attack.command_and_control
  - attack.t1071.001
  - apt.apt28

High-confidence IOC. Any hit should trigger immediate incident response. Block at perimeter firewall and DNS.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (dns_query="*wellnesscaremed.com" OR url="*wellnesscaremed.com*" OR dest="*wellnesscaremed.com") | stats count by index, sourcetype, src_ip, dest_ip

YARA Rules

APT28_Malicious_LNK_CVE_2026_32202 — Detects LNK files with external UNC paths or URLs potentially related to CVE-2026-32202 exploitation

rule APT28_Malicious_LNK_CVE_2026_32202 {
    meta:
        description = "Detects malicious LNK files used in APT28 CVE-2026-32202 exploitation"
        author = "RedSheep Security/Stone"
        date = "2026-04-30"
        reference = "CVE-2026-32202"
        threat_actor = "APT28"
    strings:
        $lnk_header = { 4C 00 00 00 01 14 02 00 }
        $unc_path1 = /\\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\/ wide ascii
        $unc_path2 = /\\\\[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,6}\\/ wide ascii
        $url1 = "http://wellnesscaremed.com" wide ascii nocase
        $url2 = "https://wellnesscaremed.com" wide ascii nocase
        $smb_port = "445" wide ascii
    condition:
        $lnk_header at 0 and any of ($unc_path*, $url*, $smb_port)
}

Suricata Rules

SID 2026043001 — APT28 C2 Domain wellnesscaremed.com DNS Query

alert dns $HOME_NET any -> any any (msg:"ET TROJAN APT28 C2 Domain wellnesscaremed.com DNS Query"; dns.query; content:"wellnesscaremed.com"; nocase; classtype:trojan-activity; sid:2026043001; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, tag APT28;)

SID 2026043002 — Suspicious Outbound SMB Authentication Attempt

alert tcp $HOME_NET any -> !$HOME_NET 445 (msg:"ET POLICY Suspicious Outbound SMB Authentication to External Host"; flow:to_server,established; content:"|ff|SMB"; depth:4; offset:4; classtype:policy-violation; sid:2026043002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Major, tag CVE-2026-32202;)

Data Source Requirements

Sources

• CISA orders feds to patch Windows flaw exploited as zero-day
• CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202)
• A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202 | Akamai
• Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
• CVE-2026-32202: APT28 Exploits Zero-Click Windows Shell Flaw to Steal NTLM Credentials
• Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513 | Akamai
• Forced Authentication, Technique T1187 | MITRE ATT&CK
• OS Credential Dumping, Technique T1003 | MITRE ATT&CK
• Use Alternate Authentication Material: Pass the Hash, T1550.002 | MITRE ATT&CK