Headlights. Indicators. Trunk releases. Seatbelts. Airbags. Just about any part of a car you can think of is governed by a long and complicated government regulation. It’s all about safety, ensuring that the car-buying public can trust that their vehicles won’t unduly injure or maim them in regular operation, or in the event of accident.

However, one part of the modern automobile has largely escaped regulation—namely, the humble door handle. Automakers have been free to innovate with new and wacky designs, with Tesla in particular making waves with its electronic door handles. However, after a series of deadly incidents where doors wouldn’t open, regulators are now examining if these door handles are suitable for road-going automobiles. As always, regulations are written in blood, but it raises the question—was not the danger of these complicated electronic door handles easy to foresee?

Trapped

A number of automakers have developed fancy retractable door handles in recent years. They are most notably seen on electric vehicles, where they are stated to have a small but measurable aerodynamic benefit. They are often paired with buttons or other similar electronic controls to open the doors from the inside. Compared to mechanical door handles, however, these door handles come with a trade-off in complexity. They require electricity, motors, and a functioning control system to work. When all is well, this isn’t a problem. However, when things go wrong, a retractable electronic door handle often proves inaccessible and useless.

It’s not hard to find case reports of fatal incidents involving vehicles with electronic door handles—both inside and out. Multiple cases have involved occupants burning alive inside Tesla vehicles, in which electronic door handles failed after a crash. Passengers inside the vehicles have failed to escape due to not finding emergency release door pulls hidden in the door panels, while bystanders have similarly been unable to use the retracted outside door handles to free those trapped inside.

In response, some Tesla owners have gone so far as to release brightly-colored emergency escape ripcords to replace the difficult-to-spot emergency release pulls that are nearly impossible to find without prior knowledge. In the case of some older models, though, there’s less hope of escape. For example, in the Tesla Model 3 built from 2017 to 2023, only front doors have an emergency mechanical release. Rear passengers are out of luck, and must find another route of escape if their electronic door handles fail to operate. No Tesla vehicles feature an easily-accessible mechanical release that can be used from outside the vehicle.
US regulations mandate highly-visible emergency trunk release handles that are easily activated. However, obvious mechanical backups have not been required for cars fitted with electronic door handles. Credit: NHTSA
It’s worth noting that in the US market, federal regulations have mandated glow-in-the-dark trunk releases be fitted to all sedans from the 2002 model year onwards. You could theoretically escape from the trunk of certain Teslas more easily than a Cybertruck or Model 3 with a failed electrical system.

Tesla isn’t the only company out there building cars with retractable door handles. It does, however, remain the most prominent user of this technology, and its vehicles have been involved in numerous incidents that have made headlines. Other automakers, such as Audi and Fiat, have experimented with electronic door handles, both for ingress and egress, with varying degrees of mechanical backup available. In some cases, automakers have used smart two-stage latches. A small pull activates the electronic door release, while a stronger pull will engage a mechanical linkage that unlatches the door. It’s smart engineering—the door interface responds to the exact action a passenger would execute if trying to escape the vehicle in a panic. There are obviously less concerns around electronic door releases that have easily-accessed mechanical backups; it’s just that Tesla is particularly notable for not always providing them.

Over the years, national automotive bodies have thrown up their arms about all sorts of emerging automotive technologies. In the United States specifically, NHTSA has famously slow-walked the approval of things like camera-based rear-view mirror systems and replaceable-bulb headlamps, fearing the worst could occur if these technologies were freely allowed on the market.

Meanwhile, despite the obvious risks, electronic door handles have faced no major regulatory challenges. There were no obvious written rules standing in the way of Tesla making the choice to eliminate regular old door handles. Nor were there strict regulations on emergency door releases for passengers inside the vehicle. Tesla spent years building several models with no mechanical door release for the rear passengers. If your door button failed, you’d have to attempt escape by climbing out through the front doors, assuming you could figure out how to open them. Even today, the models with mechanical door releases still often hide them behind interior trim pieces or carpets, where few passengers would ever think to look in an emergency.

Obvious Mistakes

Flush door handles have become popular with Chinese automakers like BYD and Geely. However, these door handles require the vehicle’s electrical supply to be intact in order to work. Credit: BYD
Things are beginning to change, however. Chinese regulators have led the charge, with reports stating that electronic retractable door handles could be banned as soon as 2027. While some semi-retractable styles will potentially avoid an outright ban, it’s believed new regulations will require a mechanically redundant release system as standard.

As for the US, the sleeping giant of NHTSA has finally awoken in the wake of Bloomberg‘s reporting on the matter. As reported by CNBC, Tesla has been given a deadline of December 10 to deliver records to the federal regulator, regarding design, failures, and customer issues around its electronic door release systems. The Office of Defects Investigations within NHTSA has already recorded 16 reports of failed exterior door releases in the a single model year of the Tesla Model Y. It’s likely a drop in the ocean compared to the full population of Tesla vehicles currently on roads. Meanwhile, the US automaker also faces multiple lawsuits over the matter from those who have lost family members in fatal crashes and fires involving the company’s vehicles.

In due time, it’s likely that automotive regulators in most markets will come out against electronic door handles from a safety perspective alone. No matter how well designed the electrical system in a modern vehicle, it’s hard to beat a lever flipping a latch for simplicity and robustness. The benefits of these electronic door handles are spurious in the first place—a fraction of a percent reduction in drag, and perhaps a little more luxury appeal. If the trade-off is trapping passengers in the event of a fire, it’s hard to say they’re worthwhile.

The electronic door handle, then, is perhaps the ultimate triumph of form over function. They’re often slower and harder to use than a regular door handle, and particularly susceptible to becoming useless when iced over on a frosty morning. For a taste of the future, lives were put at risk. Anyone could see that, so it’s both strange and sad that automakers and regulators alike seemed not to notice until it was far too late. Any new regulations will, once again, be written in blood.

Contrary to headlines suggesting the EU has “backed away” from Chat Control, the negotiating mandate endorsed today by EU ambassadors in a close split vote paves the way for a permanent infrastructure of mass surveillance. Patrick Breyer, digital freedom fighter and expert on the file, warns journalists and the public not to be deceived by the label “voluntary.”

While the Council removed the obligation for scanning, the agreed text creates a toxic legal framework that incentivizes US tech giants to scan private communications indiscriminately, introduces mandatory age checks for all internet users, and threatens to exclude teenagers from digital life.

“The headlines are misleading: Chat Control is not dead, it is just being privatized,” warns Patrick Breyer. “What the Council endorsed today is a Trojan Horse. By cementing ‘voluntary’ mass scanning, they are legitimizing the warrantless, error-prone mass surveillance of millions of Europeans by US corporations, while simultaneously killing online anonymity through the backdoor of age verification.”

The Three Hidden Dangers of the Council’s “Voluntary” Deal

The Council’s mandate stands in sharp contrast to the European Parliament’s position, which demands that surveillance be targeted only at suspects and age checks are to remain voluntary. The Council’s approach introduces three critical threats that have largely gone unreported:

1. “Voluntary” Means Indiscriminate Mass Scanning (The Chat Control 1.0 Trap)
The text aims to make the temporary “Chat Control 1.0” regulation permanent. This allows providers like Meta or Google to scan all private chats, indiscriminately and without a court order.

• The Reality: This is not just about finding known illegal images. The mandate allows for the scanning of private text messages, unknown images, and metadata using unreliable algorithms and AI.
• The Failure: These algorithms are notoriously unreliable. The German Federal Police (BKA) has warned that 50% of all reports generated under the current voluntary scheme are criminally irrelevant.
• Breyer’s comment: “We are talking about tens of thousands of completely legal, private chats being leaked to police annually due to faulty algorithms and AI. This is no more reliable than guessing. Calling this ‘voluntary’ does not make the violation of the digital secrecy of correspondence any less severe.”

2. The Death of anonymous communications: Age Checks for Everyone
To comply with the Council’s requirement to “reliably identify minors,” providers will be forced to verify the age of every single user.

• The Reality: This means every citizen will effectively have to upload an ID or undergo a face scan to open an email or messenger account.
• The Consequence: This creates a de facto ban on anonymous communication—a vital lifeline for whistleblowers, journalists, political activists, and abuse victims seeking help.
• Unworkable alternative: Experts have warned that other methods for “Age assessment cannot be performed in a privacy-preserving way with current technology due to reliance on biometric, behavioural or contextual information… In fact, it incentivizes (children’s) data collection and exploitation. We conclude that age assessment presents an inherent disproportionate risk of serious privacy violation and discrimination, without guarantees of effectiveness.”

3. “Digital House Arrest” for Teenagers
Under the guise of protection, the Council text proposes barring users under 17 from using apps with chat functions—including WhatsApp, Instagram, and popular online games—unless stringent conditions are met.

• The Reality: This amounts to a “Digital House Arrest,” isolating youth from their social circles and digital education.
• Breyer’s comment: “Protection by exclusion is pedagogical nonsense. Instead of empowering teenagers, the Council wants to lock them out of the digital world entirely.”

A Dangerous Road to 2026

Today’s vote was far from unanimous, with the Czech Republic, the Netherlands, and Poland voting against, and Italy abstaining, reflecting deep concerns within the EU about the legality and proportionality of the measure.

Negotiations (“Trilogues”) between the Council and the European Parliament will soon begin, with the aim of finalizing the text before April 2026.

“We must stop pretending that ‘voluntary’ mass surveillance is acceptable in a democracy,” Breyer concludes. “We are facing a future where you need an ID card to send a message, and where foreign black-box AI decides if your private photos are suspicious. This is not a victory for privacy; it is a disaster waiting to happen.”

Background Information & Contact

About the Vote: The Council mandate was today endorsed by the Committee of Permanent Representatives (COREPER).
About the Procedure: The text will now be negotiated with the European Parliament. The Parliament’s mandate (adopted in Nov 2023) explicitly rules out indiscriminate scanning and demands targeted surveillance based on suspicion.

More information: chatcontrol.eu

patrick-breyer.de/en/reality-c…

Dunque, sono partito con l'organizzazione questa primavera.

Ho contattato diverse associazioni che si occupano di violenza di genere, una mi ha risposto e ha messo a disposizione una psicologa delle loro (che arrivava da fuori Firenze). Ho contattato un sindacato della scuola perché facessero arrivare la notizia a qualche insegnante/dirigente scolastico nel tentativo di coinvolgere gli studenti (scelta sbagliatissima perché non hanno fatto assolutamente nulla, la prossima volta contatterò direttamente i rappresentanti degli studenti). Ho prenotato la sala alla casa del popolo. Come RSU abbiamo convocato un'assemblea dei lavoratori di 4 ore in modo che la gente potesse partecipare senza prendere permessi o ferie. Ho fatto la locandina. Stamattina mi sono alzato alle 6:30 per andare lì a preparare la sala (sistemazione PC per fare un video, impianto amplificazione, sistemazione sedie, ecc.).

Risultato: 10 persone (su più di 150 dipendenti della mia azienda).

E niente...

Sono passati dodici mesi dall’entrata in vigore della legge n. 169 del 2024, la cosiddetta “legge Varchi”, che ha esteso il reato di surrogazione di maternità anche quando compiuto all’estero da cittadini italiani. Una norma formalmente efficace da dicembre 2024, ma che nella realtà ha iniziato a produrre effetti solo nove mesi dopo: lo stesso tempo di una gravidanza. Eppure, alcune Procure hanno provato a forzarne un’applicazione immediata, fingendo di non sapere ciò che tutta la dottrina penalistica ripete da anni: il reato non “nasce” con il bambino, ma con il trasferimento dell’embrione — o, al limite, con la sua formazione.

Proprio ora, dunque, stanno arrivando i primi casi concreti, con famiglie che rischiano fino a due anni di reclusione e un milione di euro di multa per essersi rivolte alla gravidanza per altri per ragioni mediche o sociali. L’Italia si propone così come esportatrice di un “reato universale”, calpestando i principi fondamentali del nostro ordinamento, come fatto in fondo molteplici volte con la legge 40. Non a caso: la legge 40 è stata dichiarata incostituzionale almeno quattro volte. Eppure eccoci qui, a ripetere gli stessi errori, tentando addirittura di imporli al resto del mondo. Una vera universalizzazione dell’assurdo.

Non sorprende, quindi, che la ministra Roccella abbia sfruttato la presentazione alle Nazioni Unite del rapporto della Special Rapporteur Reem Alsalem per rilanciare una narrazione priva di basi solide. Il rapporto parla di gravidanza per altri mescolando luoghi comuni e timori astratti; interrogata sui dati, la stessa Alsalem ha ammesso che non ce ne sono. E certo che mancano: il proibizionismo crea clandestinità, e dunque procedure sommerse che spesso determinano abusi. Inoltre il rapporto afferma che molto spesso il consenso delle donne gestanti non c’è, e se c’è, non è valido, perché viziato dal solo fatto di essere una gestante. Un corto circuito di cui sarebbe interessante sapere cosa pensa anche Giorgia Meloni a seguito della riforma del reato di violenza sessuale che introduce il consenso come elemento per il quale “se non c’è consenso è violenza sessuale.” Secondo quanto afferma il rapporto di Reem Alsalem, nonché tutti i sostenitori del reato universale, il reato di surrogazione di maternità, a tutela della dignità della gestante, si applica anche quanto il consenso c’è. Dunque il consenso assume caratteristiche e valore completamente diverso a seconda dell’uso strumentale e ideologico che la politica ne sta facendo. Sarebbe come dire che in certi casi non graditi al governo, il reato di violenza sessuale che tutela solo ed esclusivamente la libertà personale, si applica anche se c’è il pieno consenso della donna.

In Europa, la direttiva anti-tratta condanna solo la surrogazione che comporta sfruttamento, lasciando agli Stati la possibilità di regolare la GPA. La recente risoluzione del Parlamento europeo, nell’ambito della Gender Equality Strategy (Strategia per l’eguaglianza di genere) però, ha aggiunto ambiguità: il passaggio secondo cui “la maternità surrogata, che comporta sfruttamento, deve essere condannata” può essere interpretato in modi diversi. La lettura più coerente è quella che distingue chiaramente tra pratiche sfruttative — da condannare — e percorsi autodeterminati e tutelati. Ma resta urgente una chiarezza normativa e linguistica che oggi manca.

Ecco perché, su un tema tanto delicato, dovremmo tornare alla realtà, ai dati, ai diritti. Oggi si respira una profonda preoccupazione nell’affrontare i temi legati alla surrogazione di maternità, è difficile trovare o promuovere dibattiti pubblici perché la formulazione del reato, che estende la perseguibilità anche a varie e ambigue forme di pubblicizzazione, di fatto spaventa con effetti deterrenti. Occorre quindi riportare il tema tra le persone, non per promuovere una procedura di fecondazione assistita che sicuramente coinvolge molti aspetti personali e delicati, ma per informare correttamente le persone che esistono forme regolamentate e rispettose dei diritti e le volontà di tutte le persone coinvolte.

L'articolo La gravidanza per altri a un anno dall’entrata in vigore del reato universale proviene da Associazione Luca Coscioni.

Just like the 2000s

Flip phones grew popular, Windows XP debuted on personal computers, Apple introduced the iPod, peer-to-peer file sharing via torrents was taking off, and MSN Messenger dominated online chat. That was the tech scene in 2001, the same year when Sir Dystic of Cult of the Dead Cow published SMBRelay, a proof-of-concept that brought NTLM relay attacks out of theory and into practice, demonstrating a powerful new class of authentication relay exploits.

Ever since that distant 2001, the weaknesses of the NTLM authentication protocol have been clearly exposed. In the years that followed, new vulnerabilities and increasingly sophisticated attack methods continued to shape the security landscape. Microsoft took up the challenge, introducing mitigations and gradually developing NTLM’s successor, Kerberos. Yet more than two decades later, NTLM remains embedded in modern operating systems, lingering across enterprise networks, legacy applications, and internal infrastructures that still rely on its outdated mechanisms for authentication.

Although Microsoft has announced its intention to retire NTLM, the protocol remains present, leaving an open door for attackers who keep exploiting both long-standing and newly discovered flaws.

In this blog post, we take a closer look at the growing number of NTLM-related vulnerabilities uncovered over the past year, as well as the cybercriminal campaigns that have actively weaponized them across different regions of the world.

How NTLM authentication works

NTLM (New Technology LAN Manager) is a suite of security protocols offered by Microsoft and intended to provide authentication, integrity, and confidentiality to users.

In terms of authentication, NTLM is a challenge-response-based protocol used in Windows environments to authenticate clients and servers. Such protocols depend on a shared secret, typically the client’s password, to verify identity. NTLM is integrated into several application protocols, including HTTP, MSSQL, SMB, and SMTP, where user authentication is required. It employs a three-way handshake between the client and server to complete the authentication process. In some instances, a fourth message is added to ensure data integrity.

The full authentication process appears as follows:

1. The client sends a NEGOTIATE_MESSAGE to advertise its capabilities.
2. The server responds with a CHALLENGE_MESSAGE to verify the client’s identity.
3. The client encrypts the challenge using its secret and responds with an AUTHENTICATE_MESSAGE that includes the encrypted challenge, the username, the hostname, and the domain name.
4. The server verifies the encrypted challenge using the client’s password hash and confirms its identity. The client is then authenticated and establishes a valid session with the server. Depending on the application layer protocol, an authentication confirmation (or failure) message may be sent by the server.

Importantly, the client’s secret never travels across the network during this process.

NTLM is dead — long live NTLM

Despite being a legacy protocol with well-documented weaknesses, NTLM continues to be used in Windows systems and hence actively exploited in modern threat campaigns. Microsoft has announced plans to phase out NTLM authentication entirely, with its deprecation slated to begin with Windows 11 24H2 and Windows Server 2025 (1, 2, 3), where NTLMv1 is removed completely, and NTLMv2 disabled by default in certain scenarios. Despite at least three major public notices since 2022 and increased documentation and migration guidance, the protocol persists, often due to compatibility requirements, legacy applications, or misconfigurations in hybrid infrastructures.

As recent disclosures show, attackers continue to find creative ways to leverage NTLM in relay and spoofing attacks, including new vulnerabilities. Moreover, they introduce alternative attack vectors inherent to the protocol, which will be further explored in the post, specifically in the context of automatic downloads and malware execution via WebDAV following NTLM authentication attempts.

Persistent threats in NTLM-based authentication

NTLM presents a broad threat landscape, with multiple attack vectors stemming from its inherent design limitations. These include credential forwarding, coercion-based attacks, hash interception, and various man-in-the-middle techniques, all of them exploiting the protocol’s lack of modern safeguards such as channel binding and mutual authentication. Prior to examining the current exploitation campaigns, it is essential to review the primary attack techniques involved.

Hash leakage

Hash leakage refers to the unintended exposure of NTLM authentication hashes, typically caused by crafted files, malicious network paths, or phishing techniques. This is a passive technique that doesn’t require any attacker actions on the target system. A common scenario involving this attack vector starts with a phishing attempt that includes (or links to) a file designed to exploit native Windows behaviors. These behaviors automatically initiate NTLM authentication toward resources controlled by the attacker. Leakage often occurs through minimal user interaction, such as previewing a file, clicking on a remote link, or accessing a shared network resource. Once attackers have the hashes, they can reuse them in a credential forwarding attack.

Coercion-based attacks

In coercion-based attacks, the attacker actively forces the target system to authenticate to an attacker-controlled service. No user interaction is needed for this type of attack. For example, tools like PetitPotam or PrinterBug are commonly used to trigger authentication attempts over protocols such as MS-EFSRPC or MS-RPRN. Once the victim system begins the NTLM handshake, the attacker can intercept the authentication hash or relay it to a separate target, effectively impersonating the victim on another system. The latter case is especially impactful, allowing immediate access to file shares, remote management interfaces, or even Active Directory Certificate Services, where attackers can request valid authentication certificates.

Credential forwarding

Credential forwarding refers to the unauthorized reuse of previously captured NTLM authentication tokens, typically hashes, to impersonate a user on a different system or service. In environments where NTLM authentication is still enabled, attackers can leverage previously obtained credentials (via hash leakage or coercion-based attacks) without cracking passwords. This is commonly executed through Pass-the-Hash (PtH) or token impersonation techniques. In networks where NTLM is still in use, especially in conjunction with misconfigured single sign-on (SSO) or inter-domain trust relationships, credential forwarding may provide extensive access across multiple systems.

This technique is often used to facilitate lateral movement and privilege escalation, particularly when high-privilege credentials are exposed. Tools like Mimikatz allow extraction and injection of NTLM hashes directly into memory, while Impacket’s wmiexec.py, PsExec.py, and secretsdump.py can be used to perform remote execution or credential extraction using forwarded hashes.

Man-in-the-Middle (MitM) attacks

An attacker positioned between a client and a server can intercept, relay, or manipulate authentication traffic to capture NTLM hashes or inject malicious payloads during the session negotiation. In environments where safeguards such as digital signing or channel binding tokens are missing, these attacks are not only possible but frequently easy to execute.

Among MitM attacks, NTLM relay remains the most enduring and impactful method, so much so that it has remained relevant for over two decades. Originally demonstrated in 2001 through the SMBRelay tool by Sir Dystic (member of Cult of the Dead Cow), NTLM relay continues to be actively used to compromise Active Directory environments in real-world scenarios. Commonly used tools include Responder, Impacket’s NTLMRelayX, and Inveigh. When NTLM relay occurs within the same machine from which the hash was obtained, it is also referred to as NTLM reflexion attack.

NTLM exploitation in 2025

Over the past year, multiple vulnerabilities have been identified in Windows environments where NTLM remains enabled implicitly. This section highlights the most relevant CVEs reported throughout the year, along with key attack vectors observed in real-world campaigns.

CVE-2024‑43451

CVE-2024‑43451 is a vulnerability in Microsoft Windows that enables the leakage of NTLMv2 password hashes with minimal or no user interaction, potentially resulting in credential compromise.

The vulnerability exists thanks to the continued presence of the MSHTML engine, a legacy component originally developed for Internet Explorer. Although Internet Explorer has been officially deprecated, MSHTML remains embedded in modern Windows systems for backward compatibility, particularly with applications and interfaces that still rely on its rendering or link-handling capabilities. This dependency allows .url files to silently invoke NTLM authentication processes through crafted links without necessarily being open. While directly opening the malicious .url file reliably triggers the exploit, the vulnerability may also be activated through alternative user actions such as right clicking, deleting, single-clicking, or just moving the file to a different folder.

Attackers can exploit this flaw by initiating NTLM authentication over SMB to a remote server they control (specifying a URL in UNC path format), thereby capturing the user’s hash. By obtaining the NTLMv2 hash, an attacker can execute a pass-the-hash attack (e.g. by using tools like WMIExec or PSExec) to gain network access by impersonating a valid user, without the need to know the user’s actual credentials.

A particular case of this vulnerability occurs when attackers use WebDAV servers, a set of extensions to the HTTP protocol, which enables collaboration on files hosted on web servers. In this case, a minimal interaction with the malicious file, such as a single click or a right click, triggers automatic connection to the server, file download, and execution. The attackers use this flaw to deliver malware or other payloads to the target system. They also may combine this with hash leaking, for example, by installing a malicious tool on the victim system and using the captured hashes to perform lateral movement through that tool.

The vulnerability was addressed by Microsoft in its November 2024 security updates. In patched environments, motion, deletion, right-clicking the crafted .url file, etc. won’t trigger a connection to a malicious server. However, when the user opens the exploit, it will still work.

After the disclosure, the number of attacks exploiting the vulnerability grew exponentially. By July this year, we had detected around 600 suspicious .url files that contain the necessary characteristics for the exploitation of the vulnerability and could represent a potential threat.

BlindEagle campaign delivering Remcos RAT via CVE-2024-43451

BlindEagle is an APT threat actor targeting Latin American entities, which is known for their versatile campaigns that mix espionage and financial attacks. In late November 2024, the group started a new attack targeting Colombian entities, using the Windows vulnerability CVE-2024-43451 to distribute Remcos RAT. BlindEagle created .url files as a novel initial dropper. These files were delivered through phishing emails impersonating Colombian government and judicial entities and using alleged legal issues as a lure. Once the recipients were convinced to download the malicious file, simply interacting with it would trigger a request to a WebDAV server controlled by the attackers, from which a modified version of Remcos RAT was downloaded and executed. This version contained a module dedicated to stealing cryptocurrency wallet credentials.

The attackers executed the malware automatically by specifying port 80 in the UNC path. This allowed the connection to be made directly using the WebDAV protocol over HTTP, thereby bypassing an SMB connection. This type of connection also leaks NTLM hashes. However, we haven’t seen any subsequent usage of these hashes.

Following this campaign and throughout 2025, the group persisted in launching multiple attacks using the same initial attack vector (.url files) and continued to distribute Remcos RAT.

We detected more than 60 .url files used as initial droppers in BlindEagle campaigns. These were sent in emails impersonating Colombian judicial authorities. All of them communicated via WebDAV with servers controlled by the group and initiated the attack chain that used ShadowLadder or Smoke Loader to finally load Remcos RAT in memory.

Head Mare campaigns against Russian targets abusing CVE-2024-43451

Another attack detected after the Microsoft disclosure involves the hacktivist group Head Mare. This group is known for perpetrating attacks against Russian and Belarusian targets.

In past campaigns, Head Mare exploited various vulnerabilities as part of its techniques to gain initial access to its victims’ infrastructure. This time, they used CVE 2024-43451. The group distributed a ZIP file via phishing emails under the name “Договор на предоставление услуг №2024-34291” (“Service Agreement No. 2024-34291”). This had a .url file named “Сопроводительное письмо.docx” (translated as “Cover letter.docx”).

The .url file connected to a remote SMB server controlled by the group under the domain:
document-file[.]ru/files/documents/zakupki/MicrosoftWord.exe
The domain resolved to the IP address 45.87.246.40 belonging to the ASN 212165, used by the group in the campaigns previously reported by our team.
According to our telemetry data, the ZIP file was distributed to 121 users, 50% of whom belong to the manufacturing sector, 35% to education and science, and 5% to government entities, among other sectors. Of all the targets, 22 users interacted with the .url file.

To achieve their goals at the targeted companies, Head Mare used a number of publicly available tools, including open-source software, to perform lateral movement and privilege escalation, forwarding the leaked hashes. Among these tools detected in previous attacks are Mimikatz, Secretsdump, WMIExec, and SMBExec, with the last three being part of the Impacket suite tool.

In this campaign, we detected attempts to exploit the vulnerability CVE-2023-38831 in WinRAR, used as an initial access in a campaign that we had reported previously, and in two others, we found attempts to use tools related to Impacket and SMBMap.

The attack, in addition to collecting NTLM hashes, involved the distribution of the PhantomCore malware, part of the group’s arsenal.

CVE-2025-24054/CVE-2025-24071

CVE-2025-24071 and CVE-2025-24054, initially registered as two different vulnerabilities, but later consolidated under the second CVE, is an NTLM hash leak vulnerability affecting multiple Windows versions, including Windows 11 and Windows Server. The vulnerability is primarily exploited through specially crafted files, such as .library-ms files, which cause the system to initiate NTLM authentication requests to attacker-controlled servers.

This exploitation is similar to CVE-2024-43451 and requires little to no user interaction (such as previewing a file), enabling attackers to capture NTLMv2 hashes and gain unauthorized access or escalate privileges within the network. The most common and widespread exploitation of this vulnerability occurs with .library-ms files inside ZIP/RAR archives, as it is easy to trick users into opening or previewing them. In most incidents we observed, the attackers used ZIP archives as the distribution vector.

Trojan distribution in Russia via CVE-2025-24054

In Russia, we identified a campaign distributing malicious ZIP archives with the subject line “акт_выполненных_работ_апрель” (certificate of work completed April). These files inside the archives masqueraded as .xls spreadsheets but were in fact .library-ms files that automatically initiated a connection to servers controlled by the attackers. The malicious files contained the same embedded server IP address 185.227.82.72.

When the vulnerability was exploited, the file automatically connected to that server, which also hosted versions of the AveMaria Trojan (also known as Warzone) for distribution. AveMaria is a remote access Trojan (RAT) that gives attackers remote control to execute commands, exfiltrate files, perform keylogging, and maintain persistence.

CVE-2025-33073

CVE-2025-33073 is a high-severity NTLM reflection vulnerability in the Windows SMB client’s access control. An authenticated attacker within the network can manipulate SMB authentication, particularly via local relay, to coerce a victim’s system into authenticating back to itself as SYSTEM. This allows the attacker to escalate privileges and execute code at the highest level.

The vulnerability relies on a flaw in how Windows determines whether a connection is local or remote. By crafting a specific DNS hostname that partially overlaps with the machine’s own name, an attacker can trick the system into believing the authentication request originates from the same host. When this happens, Windows switches into a “local authentication” mode, which bypasses the normal NTLM challenge-response exchange and directly injects the user’s token into the host’s security subsystem. If the attacker has coerced the victim into connecting to the crafted hostname, the token provided is essentially the machine’s own, granting the attacker privileged access on the host itself.

This behavior emerges because the NTLM protocol sets a special flag and context ID whenever it assumes the client and server are the same entity. The attacker’s manipulation causes the operating system to treat an external request as internal, so the injected token is handled as if it were trusted. This self-reflection opens the door for the adversary to act with SYSTEM-level privileges on the target machine.

Suspicious activity in Uzbekistan involving CVE-2025-33073

We have detected suspicious activity exploiting the vulnerability on a target belonging to the financial sector in Uzbekistan.

We have obtained a traffic dump related to this activity, and identified multiple strings within this dump that correspond to fragments related to NTLM authentication over SMB. The dump contains authentication negotiations showing SMB dialects, NTLMSSP messages, hostnames, and domains. In particular, the indicators:

• The hostname localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA, a manipulated hostname used to trick Windows into treating the authentication as local
• The presence of the IPC$ resource share, common in NTLM relay/reflection attacks, because it allows an attacker to initiate authentication and then perform actions reusing that authenticated session

The incident began with exploitation of the NTLM reflection vulnerability. The attacker used a crafted DNS record to coerce the host into authenticating against itself and obtain a SYSTEM token. After that, the attacker checked whether they had sufficient privileges to execute code using batch files that ran simple commands such as whoami:
%COMSPEC% /Q /c echo whoami ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
Persistence was then established by creating a suspicious service entry in the registry under:
reg:\\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YlHXQbXO
With SYSTEM privileges, the attacker attempted several methods to dump LSASS (Local Security Authority Subsystem Service) memory:

1. Using rundll32.exe:
   C:\Windows\system32\cmd.exe /Q /c CMD.exe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\vdpk2Y.sav fullThe command locates the lsass.exe process, which holds credentials in memory, extracts its PID, and invokes an internal function of comsvcs.dll to dump LSASS memory and save it. This technique is commonly used in post-exploitation (e.g., Mimikatz or other “living off the land” tools).
2. Loading a temporary DLL (BDjnNmiX.dll):
   C:\Windows\system32\cmd.exe /Q /c cMd.exE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tAsKLISt /fi "Imagename eq lSAss.ex*" | find "lsass""') do rundll32.exe C:\Windows\Temp\BDjnNmiX.dll #+0000^24 ^%B \Windows\Temp\sFp3bL291.tar.log fullThe command tries to dump the LSASS memory again, but this time using a custom DLL.
3. Running a PowerShell script (Base64-encoded):
   The script leverages MiniDumpWriteDump via reflection. It uses the Out-Minidump function that writes a process dump with all process memory to disk, similar to running procdump.exe.

Several minutes later, the attacker attempted lateral movement by writing to the administrative share of another host, but the attempt failed. We didn’t see any evidence of further activity.

Protection and recommendations

Disable/Limit NTLM

As long as NTLM remains enabled, attackers can exploit vulnerabilities in legacy authentication methods. Disabling NTLM, or at the very least limiting its use to specific, critical systems, significantly reduces the attack surface. This change should be paired with strict auditing to identify any systems or applications still dependent on NTLM, helping ensure a secure and seamless transition.

Implement message signing

NTLM works as an authentication layer over application protocols such as SMB, LDAP, and HTTP. Many of these protocols offer the ability to add signing to their communications. One of the most effective ways to mitigate NTLM relay attacks is by enabling SMB and LDAP signing. These security features ensure that all messages between the client and server are digitally signed, preventing attackers from tampering with or relaying authentication traffic. Without signing, NTLM credentials can be intercepted and reused by attackers to gain unauthorized access to network resources.

Enable Extended Protection for Authentication (EPA)

EPA ties NTLM authentication to the underlying TLS or SSL session, ensuring that captured credentials cannot be reused in unauthorized contexts. This added validation can be applied to services such as web servers and LDAP, significantly complicating the execution of NTLM relay attacks.

Monitor and audit NTLM traffic and authentication logs

Regularly reviewing NTLM authentication logs can help identify abnormal patterns, such as unusual source IP addresses or an excessive number of authentication failures, which may indicate potential attacks. Using SIEM tools and network monitoring to track suspicious NTLM traffic enhances early threat detection and enables a faster response.

Conclusions

In 2025, NTLM remains deeply entrenched in Windows environments, continuing to offer cybercriminals opportunities to exploit its long-known weaknesses. While Microsoft has announced plans to phase it out, the protocol’s pervasive presence across legacy systems and enterprise networks keeps it relevant and vulnerable. Threat actors are actively leveraging newly disclosed flaws to refine credential relay attacks, escalate privileges, and move laterally within networks, underscoring that NTLM still represents a major security liability.

The surge of NTLM-focused incidents observed throughout 2025 illustrates the growing risks of depending on outdated authentication mechanisms. To mitigate these threats, organizations must accelerate deprecation efforts, enforce regular patching, and adopt more robust identity protection frameworks. Otherwise, NTLM will remain a convenient and recurring entry point for attackers.

securelist.com/ntlm-abuse-in-2…

We love and hate OpenSCAD. As programmers, we like describing objects we want to 3D print or otherwise model. As programmers, we hate all the strange things about OpenSCAD that make it not like a normal programming language. Maybe µCAD (or Microcad) is the answer. This new entry in the field lets you build things programmatically and is written in Rust.

In fact, the only way to get it right now is to build it from source using cargo. Assuming you already have Rust, that’s not hard. Simply enter: cargo install microcad. If you don’t already have Rust, well, then that’s a problem. However, we did try to build it, and despite having the native library libmanifold available, Rust couldn’t find it. You might have better luck.

You can get a feel for the language by going through one of the tutorials, like the one for building a LEGO-like shape. Here’s a bit of code from that tutorial:

use std::geo2d::*;
use std::ops::*;

const SPACING = 8mm;

op grid(columns: Integer, rows: Integer) {
@input
.translate(x = [1..columns] * SPACING, y = [1..rows] * SPACING)
.align()
}

sketch Base(
columns: Integer,
rows: Integer,
width: Length,
height: Length
) {
thickness = 1.2mm;
frame = Frame(width, height, thickness);
struts = Ring(outer_d = 6.51mm, inner_d = 4.8mm)
.grid(columns = columns-1, rows = rows-1);
frame | struts;
}

There are proper functions, support for 2D sketches and 3D objects, and even a VSCode extension.

Will you try it? If we can get it to build, we will. Meanwhile, there’s always OpenSCAD. Even TinkerCAD can do some parametric modeling.

hackaday.com/2025/11/26/microc…

It’s clock time again on Hackaday, this time with a lovely laser-cut biretrograde clock by [PaulH175] over on Instructables. If you’ve never heard of a ‘biretrograde clock,’ well, we hadn’t either. This is clearly a form of retrograde clock, which unlike the name implies doesn’t spin backwards but oscillates in its motion– the hands ‘go retrograde’ the same way the planets do.

The oscillating movement is achieved via a pair of cams mounted on the hour and minute shafts of a common clock mechanism. As the shafts (and thus cams) turn, the minute and hour arms are raised and drop. While that could itself be enough to tell the time, [Paul] goes one further and has the actual hands on pivots driven by a gear mechanism on the cam-controlled arms. You might think that that extra reversal is what makes this a ‘biretrograde clock’ but in the clockmaker’s world that’s just saying it’s a retrograde clock with two indicators: in this case, minute and second.

It’s a fairly rare way to make a clock, but we’ve seen one before. That older project was 3D printed, which might be more your speed; if you prefer laser-cutting, though, [Paul]’s Instructable includes SVG files. Alternatively, you could take a different approach and use voltmeters to get the same effect.

hackaday.com/2025/11/26/theres…