APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, CVE-2026-21509 (a security feature bypass), attributed to Russia-linked UAC-0001 / APT28 (Fancy Bear) and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled Consultation_Topics_Ukraine(Final).doc appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance.
CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a WebDAV connection to attacker infrastructure, downloads a shortcut (.lnk) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., EhStoreShell.dll) with shellcode hidden in a decoy file (e.g., SplashScreen.png), alongside persistence techniques such as COM hijacking (registry modification) and scheduled task creation.
Related Entities
Vulnerabilities
Threat Actors
Malware
Affected Products
Sources
5 more from sources like arstechnica security, scworld, the record media, help net security and security affairs
Related Stories
APT28 Exploits Microsoft Office RTF Zero-Day (CVE-2026-21509) in Operation Neusploit
**APT28** (Russia-linked) has been observed exploiting a **Microsoft Office RTF zero-day, `CVE-2026-21509`**, in a campaign dubbed **Operation Neusploit** targeting organizations in **Central and Eastern Europe** (including **Ukraine, Slovakia, and Romania**). The intrusion chain begins with **socially engineered emails** delivering **weaponized RTF documents**; opening the file triggers code execution and downloads a malicious **dropper DLL** from attacker-controlled infrastructure, enabling follow-on payload deployment and persistence. Technical analysis describes **two dropper variants** that deploy different components, including **MiniDoor**, a malicious **Microsoft Outlook VBA** project designed to **steal and forward emails**. Observed behaviors include writing the VBA payload to `%appdata%\Microsoft\Outlook\VbaProject.OTM`, creating a mutex (`adjgfenkbe`), and modifying Windows Registry settings to **weaken Outlook security** so the malicious project loads automatically at Outlook startup; string decryption uses XOR routines (including a hardcoded `0x3a` key and a rolling XOR key). Reporting attributes the activity to APT28 based on TTP overlaps and notes exploitation was seen **in the wild** shortly after Microsoft issued an emergency fix.
1 months ago
Fancy Bear Exploits Microsoft RTF Zero-Day CVE-2026-21509 in Operation Neusploit
**Fancy Bear (APT28)** has been attributed with high confidence to *Operation Neusploit*, a campaign targeting users in Central and Eastern Europe by weaponizing **CVE-2026-21509**, a **Microsoft RTF** parsing zero-day that enables arbitrary code execution via specially crafted RTF documents. Reported lures were written in multiple languages (including English, Romanian, Slovak, and Ukrainian) and targeted victims in **Ukraine, Slovakia, and Romania**. Microsoft issued an **out-of-band patch** for CVE-2026-21509 on **January 26, 2026**, with in-the-wild exploitation observed shortly after. Post-exploitation activity was described as a multi-stage chain that retrieves a malicious dropper DLL from attacker infrastructure and then deploys different payload paths, including **MiniDoor** (focused on Outlook email theft/exfiltration) and **PixyNetLoader**, which ultimately leads to a **Covenant Grunt** implant for command-and-control. The campaign also uses **evasion and targeting controls**, including region-restricted payload delivery (e.g., only serving malicious DLLs to requests from targeted geographies and specific `User-Agent` patterns) and persistence techniques such as **COM hijacking**, plus additional tradecraft like **steganography in PNG files** and shellcode loading to execute the final implant.
1 months ago
APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that **Russia-linked APT28** likely exploited **CVE-2026-21513** (CVSS **8.8**), a high-severity **MSHTML** security feature bypass, prior to Microsoft’s fix in the **February 2026 Patch Tuesday** release. Microsoft confirmed the vulnerability was exploited as a **zero-day** in real-world attacks and credited **MSTIC**, **MSRC**, the **Office Product Group Security Team**, and **Google Threat Intelligence Group (GTIG)** for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a **malicious HTML page** or **LNK (shortcut) file**, potentially enabling code execution by causing content to be handled by Windows shell mechanisms. Technical analysis from Akamai tied the root cause to hyperlink navigation logic in `ieframe.dll`, where insufficient URL validation can allow attacker-controlled input to reach `ShellExecuteExW`, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as `document.doc.LnK.download`) uploaded to VirusTotal on **January 30, 2026**, and associated it with infrastructure linked to **APT28**; reporting also noted the sample had been flagged by **CERT-UA** in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
1 weeks ago