How NTLM is being abused in 2025 cyberattacks
Nov. 26, 2025, 4:36 p.m.
Description
NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451, CVE-2025-24054, and CVE-2025-33073 have been actively exploited in various campaigns. Attacks involve hash leakage, coercion-based techniques, credential forwarding, and man-in-the-middle approaches. Threat groups like BlindEagle and Head Mare have leveraged these vulnerabilities to distribute malware and target specific regions. To mitigate risks, organizations are advised to disable or limit NTLM usage, implement message signing, enable Extended Protection for Authentication, and monitor NTLM traffic closely.
Tags
Date
- Created: Nov. 26, 2025, 2:09 p.m.
- Published: Nov. 26, 2025, 2:09 p.m.
- Modified: Nov. 26, 2025, 4:36 p.m.
Indicators
- 185.227.82.72
- 45.87.246.40
- http://document-file.ru/files/documents/zakupki/MicrosoftWord.exe
- document-file.ru
Attack Patterns
- PhantomCore
- WarzoneRAT - S0670
- REMCOS RAT
- AveMaria
- BlindEagle
Additional Informations
- Education
- Finance
- Government
- Manufacturing
- Colombia
- Uzbekistan
- Belarus
- Russian Federation