Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025

This report analyzes a set of NTLM authentication vulnerabilities disclosed in 2024–2025 (CVE-2024-43451, CVE-2025-24054/24071, CVE-2025-33073), documents active exploitation in the wild by actors such as BlindEagle and Head Mare using crafted .url and .library-ms files to leak NTLMv2 hashes and distribute RATs (Remcos, PhantomCore, AveMaria), describes attacker techniques (hash leakage, coercion, NTLM relay/reflection, LSASS dumping), provides IOCs (malicious file types, IPs, manipulated hostnames, registry/service artifacts), and recommends mitigations (disable/limit NTLM, enable signing and EPA, audit NTLM traffic).