Home | My Feed | Saved Stories | About | Privacy
Back

APT28 Exploits New Microsoft Office Flaw (CVE-2026-21509) Targeting European Governments and Military

Show me the source 1 Sources
Generated on: Last updated:

APT28 Exploits Microsoft Office Vulnerability

The Russia-linked state-sponsored threat actor, APT28 (also known as UAC-0001), has been identified exploiting a newly disclosed security flaw in Microsoft Office. This campaign, codenamed Operation Neusploit, began weaponizing the vulnerability on January 29, 2026, three days after its public disclosure by Microsoft.

This campaign, codenamed Operation Neusploit, began weaponizing the vulnerability on January 29, 2026, three days after its public disclosure by Microsoft.

The Vulnerability: CVE-2026-21509

The exploited vulnerability is CVE-2026-21509, a security feature bypass in Microsoft Office with a CVSS score of 7.8. This flaw allows an unauthorized attacker to send a specially crafted Office file and trigger its exploitation. Its discovery and reporting are credited to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group (GTIG).

Campaign Targets and Evasion

Initial attacks targeted users in Ukraine, Slovakia, and Romania. Subsequent reports from Trellix indicated broader targeting of European military and government entities, specifically maritime and transport organizations, across Poland, Slovenia, Turkey, Greece, the U.A.E., and Ukraine.

Evasion Techniques

  • Social engineering lures were crafted in English and localized languages (Romanian, Slovak, Ukrainian).
  • The threat actor employed server-side evasion, delivering the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.

Attack Chain and Payloads

The attack typically starts with the exploitation of the security hole via a malicious RTF file, leading to the delivery of two primary dropper versions:

  • MiniDoor Dropper: Delivers MiniDoor, a C++-based DLL designed to steal emails from various Outlook folders (Inbox, Junk, Drafts) and forward them to hard-coded threat actor email addresses. MiniDoor is considered a stripped-down version of NotDoor (aka GONEPOSTAL).

  • PixyNetLoader Dropper: Initiates a more complex attack, deploying additional components and establishing persistence via COM object hijacking. Payloads include a shellcode loader ("EhStoreShell.dll") and a PNG image ("SplashScreen.png"). The loader parses shellcode concealed within the image using steganography, executing it only if the machine is not an analysis environment and the host process is "explorer.exe." The shellcode then loads an embedded .NET assembly, which is a Grunt implant associated with the open-source .NET COVENANT command-and-control (C2) framework.

Overlaps and Further Observations

Zscaler noted that the PixyNetLoader infection chain shares significant overlap with previous APT28 campaigns, such as Operation Phantom Net Voxel, despite using a DLL instead of VBA macros. Similar techniques include COM hijacking, DLL proxying, XOR string encryption, and steganography for embedded Covenant Grunt and its shellcode loader.

Ukraine's Computer Emergency Response Team (CERT-UA) also reported APT28's abuse of CVE-2026-21509, targeting over 60 email addresses of central executive authorities. Their investigation found that opening weaponized Word documents initiated a network connection via WebDAV to download a malicious shortcut file, leading to the deployment of the COVENANT framework's Grunt implant.

Trellix Update

A new report from Trellix, published February 4, 2026, confirmed APT28's rapid exploitation of the Microsoft Office 1-day vulnerability. This updated intelligence highlighted:

  • The use of novel payloads, including a simple initial loader, an Outlook VBA backdoor (NotDoor), and a custom C++ implant named 'BEARDSHELL'.
  • Abuse of legitimate cloud storage (filen[.]io) for command-and-control (C2) infrastructure.
  • Phishing emails containing geopolitically-charged narratives, leading to the execution of malicious code upon document opening without requiring macros or user interaction.
  • The attack chain involves downloading a Microsoft Shortcut (LNK) and a DLL (SimpleLoader) that drops either NotDoor or the COVENANT Grunt Beacon, which then contacts filen[.]io to deliver the BEARDSHELL backdoor.

Evasion and Resilience

The entire infection chain is designed for resilience and evasion.

This includes utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts and evade detection across enterprise environments.