216.73.217.80

How NTLM is being abused in 2025 cyberattacks

· Published 26/11/2025 14:09 · Modified 21/12/2025 18:07

Export JSON

Essential information

Published
26/11/2025 14:09
Modified
21/12/2025 18:07
Tags
2025-11-26 CVE-2023-38831 CVE-2024-43451 CVE-2025-24054 CVE-2025-24071 CVE-2025-33073 apt authentication avemaria credential-theft exploits lateral movement ntlm phantomcore remcos rat vulnerabilities warzone windows
Related entities
5 vulnerabilities (cve), 3 observables, 1 intrusion sets (apt), 11 techniques (mitre), 5 malware, 9 others

Description

, a legacy protocol, remains prevalent in environments despite known . Threat actors continue to exploit both old and newly discovered flaws in for credential theft, privilege escalation, and . Recent like , , and have been actively exploited in various campaigns. Attacks involve hash leakage, coercion-based techniques, credential forwarding, and man-in-the-middle approaches. Threat groups like BlindEagle and Head Mare have leveraged these to distribute malware and target specific regions. To mitigate risks, organizations are advised to disable or limit usage, implement message signing, enable Extended Protection for , and monitor traffic closely.

External references