APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
Summary
Hide ▲
Show ▼
A December 2025 APT28 campaign targeted Ukraine and E.U. nations with a malicious Windows Shortcut (LNK) chain that bypassed Microsoft Defender SmartScreen and enabled attacker-controlled code execution. The operation used Windows Shell parsing and a UNC path to pull remote payloads, turning file execution into a stealthy delivery path. The same chain also triggered SMB authentication and could expose Net-NTLMv2 hashes, increasing the risk of follow-on access abuse.
Related Happenings
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
Vulnerability
H score32
First: 17.06.2026 11:32
Last: 17.06.2026 11:32
Sources 1
About this happening:
**Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
VulnerabilityAbout this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical Analysis
H score23
First: 16.06.2026 17:17
Last: 16.06.2026 17:17
Sources 1
About this happening:
**GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical AnalysisAbout this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)
Vulnerability
H score24
First: 03.06.2026 13:18
Last: 03.06.2026 13:18
Sources 1
About this happening:
**Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...
Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)
VulnerabilityAbout this happening: **Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
H score7
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
H score32
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
Timeline
-
28.04.2026 08:50 2 articles · 2mo ago
Initial report: APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Initial DisclosureIn **December 2025**, **APT28** began using a **malicious LNK file** against **Ukraine** and **E.U. nations** to trigger a Windows Shell exploit chain. The initial delivery was designed to bypass **Microsoft Defender SmartScreen** and set up remote code execution through shell parsing.
Show sources
- Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 — thehackernews.com — 28.04.2026 08:50
- Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 — thehackernews.com — 28.04.2026 08:50