Microsoft (MSFT) Bug Quickly Exploited in Targeted Attacks

On March 11, Microsoft (MSFT) delivered its regular round of security updates for Patch Tuesday. However, in just over a week, threat actors had already exploited one of the newly patched flaws to launch attacks on both government and corporate organizations in Poland and Romania.

The vulnerability at the center of this activity is tracked as CVE-2025-24054. It involves an NTLM hash disclosure issue in Windows. Although Microsoft (MSFT) categorized it as “less likely” to be exploited, attackers clearly disagreed, according to security analysts at Check Point.

This flaw can be abused to expose a victim's Net-NTLMv2 or NTLMv2-SSP credentials over a network. As explained by Check Point, adversaries can "attempt to brute-force the hash offline or perform relay attacks," effectively allowing them to impersonate the victim and gain unauthorized access to systems or perform actions on their behalf.

In the first wave of exploitation, attackers used phishing emails to entice users into downloading a malicious ZIP archive hosted on Dropbox, named xd.zip. The archive included four harmful files, one of which was a .library-ms file crafted to trigger the vulnerability. Alarmingly, simply unzipping the archive — or even browsing its contents in Microsoft (MSFT) Windows Explorer — could cause the system to initiate an SMB authentication request, leaking the user's Net-NTLMv2 hash to a server controlled by the attackers.

Check Point researchers found that the stolen hashes were being sent to the IP address 159.196.128[.]120. This same IP was previously highlighted by HarfangLab in January as having connections to APT28, also known as Fancy Bear — a cyber-espionage group with ties to the Russian government. That said, Check Point emphasized that there’s no definitive evidence directly linking this specific attack to APT28.