APT28 Exploits Microsoft Office RTF Zero-Day (CVE-2026-21509) in Operation Neusploit
APT28 (Russia-linked) has been observed exploiting a Microsoft Office RTF zero-day, CVE-2026-21509, in a campaign dubbed Operation Neusploit targeting organizations in Central and Eastern Europe (including Ukraine, Slovakia, and Romania). The intrusion chain begins with socially engineered emails delivering weaponized RTF documents; opening the file triggers code execution and downloads a malicious dropper DLL from attacker-controlled infrastructure, enabling follow-on payload deployment and persistence.
Technical analysis describes two dropper variants that deploy different components, including MiniDoor, a malicious Microsoft Outlook VBA project designed to steal and forward emails. Observed behaviors include writing the VBA payload to %appdata%\Microsoft\Outlook\VbaProject.OTM, creating a mutex (adjgfenkbe), and modifying Windows Registry settings to weaken Outlook security so the malicious project loads automatically at Outlook startup; string decryption uses XOR routines (including a hardcoded 0x3a key and a rolling XOR key). Reporting attributes the activity to APT28 based on TTP overlaps and notes exploitation was seen in the wild shortly after Microsoft issued an emergency fix.
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Fancy Bear Exploits Microsoft RTF Zero-Day CVE-2026-21509 in Operation Neusploit
**Fancy Bear (APT28)** has been attributed with high confidence to *Operation Neusploit*, a campaign targeting users in Central and Eastern Europe by weaponizing **CVE-2026-21509**, a **Microsoft RTF** parsing zero-day that enables arbitrary code execution via specially crafted RTF documents. Reported lures were written in multiple languages (including English, Romanian, Slovak, and Ukrainian) and targeted victims in **Ukraine, Slovakia, and Romania**. Microsoft issued an **out-of-band patch** for CVE-2026-21509 on **January 26, 2026**, with in-the-wild exploitation observed shortly after. Post-exploitation activity was described as a multi-stage chain that retrieves a malicious dropper DLL from attacker infrastructure and then deploys different payload paths, including **MiniDoor** (focused on Outlook email theft/exfiltration) and **PixyNetLoader**, which ultimately leads to a **Covenant Grunt** implant for command-and-control. The campaign also uses **evasion and targeting controls**, including region-restricted payload delivery (e.g., only serving malicious DLLs to requests from targeted geographies and specific `User-Agent` patterns) and persistence techniques such as **COM hijacking**, plus additional tradecraft like **steganography in PNG files** and shellcode loading to execute the final implant.
1 months ago
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
1 months ago
APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that **Russia-linked APT28** likely exploited **CVE-2026-21513** (CVSS **8.8**), a high-severity **MSHTML** security feature bypass, prior to Microsoft’s fix in the **February 2026 Patch Tuesday** release. Microsoft confirmed the vulnerability was exploited as a **zero-day** in real-world attacks and credited **MSTIC**, **MSRC**, the **Office Product Group Security Team**, and **Google Threat Intelligence Group (GTIG)** for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a **malicious HTML page** or **LNK (shortcut) file**, potentially enabling code execution by causing content to be handled by Windows shell mechanisms. Technical analysis from Akamai tied the root cause to hyperlink navigation logic in `ieframe.dll`, where insufficient URL validation can allow attacker-controlled input to reach `ShellExecuteExW`, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as `document.doc.LnK.download`) uploaded to VirusTotal on **January 30, 2026**, and associated it with infrastructure linked to **APT28**; reporting also noted the sample had been flagged by **CERT-UA** in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
1 weeks ago