Find notable cyber news and cases, enriched with sources, timelines, and signals.

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A December 2025 APT28 campaign targeted Ukraine and E.U. nations with a malicious Windows Shortcut (LNK) chain that bypassed Microsoft Defender SmartScreen and enabled attacker-controlled code execution. The operation used Windows Shell parsing and a UNC path to pull remote payloads, turning file execution into a stealthy delivery path. The same chain also triggered SMB authentication and could expose Net-NTLMv2 hashes, increasing the risk of follow-on access abuse.

Related Happenings

Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)

Vulnerability
H score32 First: 17.06.2026 11:32 Last: 17.06.2026 11:32 Sources 1

About this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...

GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning

Technical Analysis
H score23 First: 16.06.2026 17:17 Last: 16.06.2026 17:17 Sources 1

About this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...

Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)

Vulnerability
H score24 First: 03.06.2026 13:18 Last: 03.06.2026 13:18 Sources 1

About this happening: **Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...

Windows 11 BitLocker bypass YellowKey security flaw

Vulnerability
H score7 First: 14.05.2026 10:27 Last: 14.05.2026 10:27 Sources 1

About this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...

Latest development: 20.05.2026 10:31

Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.

FamousSparrow Azerbaijanian oil-and-gas targeting campaign

Campaign
H score32 First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...

Timeline

  1. 28.04.2026 08:50 2 articles · 2mo ago

    Initial report: APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

    Initial Disclosure

    In **December 2025**, **APT28** began using a **malicious LNK file** against **Ukraine** and **E.U. nations** to trigger a Windows Shell exploit chain. The initial delivery was designed to bypass **Microsoft Defender SmartScreen** and set up remote code execution through shell parsing.

    Show sources