The Zero-Click Ghost: How an Incomplete Patch Left Windows Open to Fancy Bear’s Credential Theft

An oversight within a security remediation has inadvertently carved a novel path for exploitation. While the developers successfully neutralized the remote code execution flaw weaponized by the APT28 collective, they left behind a secondary vulnerability that facilitates the exfiltration of credentials without a single user interaction.

Security researchers at Akamai have discovered that following the rectification of CVE-2026-21510 within the Windows ecosystem, a latent mechanism persisted, compelling the victim’s workstation to autonomously establish a connection with an adversary’s server. This nascent defect, cataloged as CVE-2026-32202, requires no manual intervention; merely navigating to a directory containing the malicious artifact triggers the assault.

The campaign is orchestrated by the Fancy Bear threat group, which, in late 2025, besieged several European nations using meticulously crafted Windows shortcuts. These LNK files initiated a cascade of vulnerabilities, including CVE-2026-21513 and CVE-2026-21510, enabling the attackers to circumvent systemic defenses and fetch malicious payloads from remote repositories.

Although the file appeared innocuous, it harbored a specialized internal structure that coerced the Windows Explorer process into treating a remote resource as a Control Panel element. Consequently, the system would attempt to load a library from the attacker’s server without verifying the provenance of the source or issuing a warning to the user.

In February 2026, Microsoft disseminated a patch that introduced a verification layer within the built-in security framework to analyze a file’s origin prior to execution. At a superficial level, the issue seemed resolved, as unsigned or suspicious components were barred from running. However, this verification occurs too late in the execution sequence; by the time the system reaches the validation phase, it has already initiated contact with the hostile server.

Simply opening a folder containing the compromised shortcut prompts Windows Explorer to attempt to render its icon. At this precise juncture, Windows automatically interfaces with the remote resource via network protocols, transmitting authentication telemetry in the process. The user remains entirely oblivious as this silent exchange transpires.

As a result, the assailant procures a Net-NTLMv2 credential hash. These artifacts can be leveraged for subsequent incursions, such as session hijacking or brute-force password discovery. The developer has been formally apprised of the situation, and the vulnerability has been officially acknowledged.