APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, CVE-2026-21509 (a security feature bypass), attributed to Russia-linked UAC-0001 / APT28 (Fancy Bear) and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled Consultation_Topics_Ukraine(Final).doc appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance.
CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a WebDAV connection to attacker infrastructure, downloads a shortcut (.lnk) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., EhStoreShell.dll) with shellcode hidden in a decoy file (e.g., SplashScreen.png), alongside persistence techniques such as COM hijacking (registry modification) and scheduled task creation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
SANS analysis extracts additional IOCs from disguised RTF lure documents
A SANS ISC diary showed that reported .doc lure files were actually RTF documents and demonstrated how to extract embedded URLs and other indicators from them. The analysis surfaced domains, UNC paths, and malformed WebDAV-style references that could aid defenders investigating the campaign.
Trellix identifies broader sector targeting and additional implants
Subsequent reporting expanded the victimology beyond government agencies to maritime, transport, military, and NATO-aligned organizations in countries including Poland, Ukraine, and Turkey. Trellix said the campaign used additional implants such as BEARDSHELL and NotDoor, with command-and-control traffic routed through Filen cloud storage.
CISA adds CVE-2026-21509 to the Known Exploited Vulnerabilities catalog
Following confirmation of in-the-wild exploitation, CISA added CVE-2026-21509 to its Known Exploited Vulnerabilities list. The move underscored the urgency for organizations to patch affected Microsoft Office installations.
CERT-UA publishes exploit-chain details and defensive guidance
On 2026-02-02, CERT-UA described the attack chain using WebDAV retrieval, a malicious shortcut, EhStoreShell.dll, shellcode hidden in SplashScreen.png, COM hijacking, and a scheduled task named OneDriveHealth. It warned attacks were likely to increase due to slow patching and advised blocking indicators and Filen-related traffic where appropriate.
CERT-UA attributes Ukrainian and EU targeting to UAC-0001/APT28
CERT-UA publicly linked the exploitation of CVE-2026-21509 against Ukrainian government agencies and EU organizations to UAC-0001, also known as APT28 or Fancy Bear. The attribution connected the activity to Russia's GRU-linked espionage operations.
Researchers document dual malware chains: MiniDoor and PixyNetLoader
Technical analysis revealed two main post-exploitation paths in the campaign: one deploying the Outlook-focused MiniDoor implant for email theft and forwarding, and another using PixyNetLoader to stage follow-on payloads. Reports also linked related tooling including NotDoor, BEARDSHELL, and Covenant Grunt to the activity.
Operation Neusploit targets Central and Eastern Europe
Zscaler ThreatLabz reported a broader APT28 espionage campaign, dubbed Operation Neusploit, targeting organizations in Ukraine, Slovakia, Romania, and other Central and Eastern European countries. The campaign used localized RTF or Word phishing lures to exploit CVE-2026-21509.
CERT-UA observes phishing campaign targeting Ukrainian government entities
CERT-UA identified malicious Office lures themed around EU COREPER consultations on Ukraine and fake bulletins from the Ukrainian hydrometeorological center. The emails were sent to more than 60 addresses, mostly tied to Ukrainian state authorities and government-related organizations.
APT28 begins exploiting CVE-2026-21509 within days of disclosure
Researchers reported that Russia-linked APT28 rapidly weaponized CVE-2026-21509 within 24 to 72 hours of Microsoft's patch and disclosure. Early exploitation was observed around 2026-01-28 to 2026-01-29, showing the group quickly adapted the flaw for phishing-based intrusion campaigns.
Trellix reports a 72-hour spearphishing wave across nine countries
Trellix disclosed a concentrated 72-hour APT28 spearphishing operation beginning on 2026-01-28 that used at least 29 lures sent from compromised government email accounts. The campaign targeted diplomatic, defense, maritime, transport, and logistics organizations in nine countries, primarily in Eastern Europe.
Microsoft discloses and patches CVE-2026-21509 as an exploited Office zero-day
On 2026-01-26, Microsoft released an out-of-band security update for CVE-2026-21509, a Microsoft Office security feature bypass affecting multiple Office versions. Microsoft warned that the flaw was already being actively exploited in the wild.
Trend Micro links APT28 PRISMEX campaign to Ukraine and allied targets
Trend Micro uncovered an APT28 spear-phishing campaign active since September 2025 targeting Ukraine’s defense supply chain, aid infrastructure, and government entities in Central and Eastern Europe. The operation used military- and aid-themed RTF lures exploiting CVE-2026-21509 and CVE-2026-21513 and deployed the PRISMEX toolkit, including a dropper, loader, and Covenant-based implant using cloud services such as Filen.io for encrypted command-and-control.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
APT28 deploys PRISMEX malware in espionage campaign against Ukraine and allies | brief | SC Media
scworld.com
Open sourceFancy Bear Hackers Exploiting Microsoft Zero-Day Vulnerability to Deploy Backdoors and Email Stealers
cybersecuritynews.com
Open sourceAPT28 Weaponizes Office Flaw to Spy on NATO & Military
securityonline.info
Open sourceQuick Howto: Extract URLs from RTF files - SANS ISC
isc.sans.edu
Open sourceRussian hackers exploit recently patched Microsoft Office bug in attacks
bleepingcomputer.com
Open sourceRussia-linked attackers abuse new Microsoft Office zero-day • The Register
go.theregister.com
Open sourceHackers Exploiting Microsoft Office 0-day Vulnerability to Deploy Malware
cybersecuritynews.com
Open sourceCERT-UA
cert.gov.ua
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Exploits Microsoft Office RTF Zero-Day (CVE-2026-21509) in Operation Neusploit
**APT28** (Russia-linked) has been observed exploiting a **Microsoft Office RTF zero-day, `CVE-2026-21509`**, in a campaign dubbed **Operation Neusploit** targeting organizations in **Central and Eastern Europe** (including **Ukraine, Slovakia, and Romania**). The intrusion chain begins with **socially engineered emails** delivering **weaponized RTF documents**; opening the file triggers code execution and downloads a malicious **dropper DLL** from attacker-controlled infrastructure, enabling follow-on payload deployment and persistence. Technical analysis describes **two dropper variants** that deploy different components, including **MiniDoor**, a malicious **Microsoft Outlook VBA** project designed to **steal and forward emails**. Observed behaviors include writing the VBA payload to `%appdata%\Microsoft\Outlook\VbaProject.OTM`, creating a mutex (`adjgfenkbe`), and modifying Windows Registry settings to **weaken Outlook security** so the malicious project loads automatically at Outlook startup; string decryption uses XOR routines (including a hardcoded `0x3a` key and a rolling XOR key). Reporting attributes the activity to APT28 based on TTP overlaps and notes exploitation was seen **in the wild** shortly after Microsoft issued an emergency fix.
Mar 21, 2026
Fancy Bear Exploits Microsoft RTF Zero-Day CVE-2026-21509 in Operation Neusploit
**Fancy Bear (APT28)** has been attributed with high confidence to *Operation Neusploit*, a campaign targeting users in Central and Eastern Europe by weaponizing **CVE-2026-21509**, a **Microsoft RTF** parsing zero-day that enables arbitrary code execution via specially crafted RTF documents. Reported lures were written in multiple languages (including English, Romanian, Slovak, and Ukrainian) and targeted victims in **Ukraine, Slovakia, and Romania**. Microsoft issued an **out-of-band patch** for CVE-2026-21509 on **January 26, 2026**, with in-the-wild exploitation observed shortly after. Post-exploitation activity was described as a multi-stage chain that retrieves a malicious dropper DLL from attacker infrastructure and then deploys different payload paths, including **MiniDoor** (focused on Outlook email theft/exfiltration) and **PixyNetLoader**, which ultimately leads to a **Covenant Grunt** implant for command-and-control. The campaign also uses **evasion and targeting controls**, including region-restricted payload delivery (e.g., only serving malicious DLLs to requests from targeted geographies and specific `User-Agent` patterns) and persistence techniques such as **COM hijacking**, plus additional tradecraft like **steganography in PNG files** and shellcode loading to execute the final implant.
Mar 21, 2026
APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that **Russia-linked APT28** likely exploited **CVE-2026-21513** (CVSS **8.8**), a high-severity **MSHTML** security feature bypass, prior to Microsoft’s fix in the **February 2026 Patch Tuesday** release. Microsoft confirmed the vulnerability was exploited as a **zero-day** in real-world attacks and credited **MSTIC**, **MSRC**, the **Office Product Group Security Team**, and **Google Threat Intelligence Group (GTIG)** for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a **malicious HTML page** or **LNK (shortcut) file**, potentially enabling code execution by causing content to be handled by Windows shell mechanisms. Technical analysis from Akamai tied the root cause to hyperlink navigation logic in `ieframe.dll`, where insufficient URL validation can allow attacker-controlled input to reach `ShellExecuteExW`, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as `document.doc.LnK.download`) uploaded to VirusTotal on **January 30, 2026**, and associated it with infrastructure linked to **APT28**; reporting also noted the sample had been flagged by **CERT-UA** in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
Mar 28, 2026