Fancy Bear Exploits Microsoft RTF Zero-Day CVE-2026-21509 in Operation Neusploit
Fancy Bear (APT28) has been attributed with high confidence to Operation Neusploit, a campaign targeting users in Central and Eastern Europe by weaponizing CVE-2026-21509, a Microsoft RTF parsing zero-day that enables arbitrary code execution via specially crafted RTF documents. Reported lures were written in multiple languages (including English, Romanian, Slovak, and Ukrainian) and targeted victims in Ukraine, Slovakia, and Romania. Microsoft issued an out-of-band patch for CVE-2026-21509 on January 26, 2026, with in-the-wild exploitation observed shortly after.
Post-exploitation activity was described as a multi-stage chain that retrieves a malicious dropper DLL from attacker infrastructure and then deploys different payload paths, including MiniDoor (focused on Outlook email theft/exfiltration) and PixyNetLoader, which ultimately leads to a Covenant Grunt implant for command-and-control. The campaign also uses evasion and targeting controls, including region-restricted payload delivery (e.g., only serving malicious DLLs to requests from targeted geographies and specific User-Agent patterns) and persistence techniques such as COM hijacking, plus additional tradecraft like steganography in PNG files and shellcode loading to execute the final implant.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers document two Neusploit infection chains
Analysis of Operation Neusploit identified two distinct post-exploitation paths: one deploying MiniDoor to exfiltrate Outlook email via a malicious VBA project, and another deploying PixyNetLoader. The latter used COM hijacking, DLL proxying, PNG steganography, and shellcode loading to execute a Covenant Grunt implant communicating over the Filen API.
Operation Neusploit targets Central and Eastern Europe
Operation Neusploit used spear-phishing lures in English, Romanian, Slovak, and Ukrainian to target users, especially in Ukraine, Slovakia, and Romania. After exploitation, victims received tailored payloads through actor-controlled infrastructure using geo- and user-agent filtering.
In-the-wild exploitation of CVE-2026-21509 is observed
By January 29, 2026, active exploitation of CVE-2026-21509 had been observed in the wild. The campaigns were attributed with high confidence to Fancy Bear/APT28 and targeted users in Central and Eastern Europe.
FBI seizes RAMP cybercrime forum domains
In late January 2026, the FBI seized the Russian-language cybercrime forum RAMP. Authorities took over both its clearnet and Tor domains and replaced them with seizure notices.
Microsoft releases out-of-band patch for CVE-2026-21509
Microsoft issued an out-of-band patch for the zero-day CVE-2026-21509 on January 26, 2026. The flaw was being weaponized in malicious Microsoft RTF files to enable arbitrary code execution.
KTA529 allegedly hijacks Notepad++ update infrastructure
According to the SecuritySenses briefing, actor KTA529 compromised Notepad++ hosting infrastructure from June through December 2025 and used the access to hijack update traffic. The activity allegedly delivered a previously undocumented backdoor named CHRYSALIS.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Exploits Microsoft Office RTF Zero-Day (CVE-2026-21509) in Operation Neusploit
**APT28** (Russia-linked) has been observed exploiting a **Microsoft Office RTF zero-day, `CVE-2026-21509`**, in a campaign dubbed **Operation Neusploit** targeting organizations in **Central and Eastern Europe** (including **Ukraine, Slovakia, and Romania**). The intrusion chain begins with **socially engineered emails** delivering **weaponized RTF documents**; opening the file triggers code execution and downloads a malicious **dropper DLL** from attacker-controlled infrastructure, enabling follow-on payload deployment and persistence. Technical analysis describes **two dropper variants** that deploy different components, including **MiniDoor**, a malicious **Microsoft Outlook VBA** project designed to **steal and forward emails**. Observed behaviors include writing the VBA payload to `%appdata%\Microsoft\Outlook\VbaProject.OTM`, creating a mutex (`adjgfenkbe`), and modifying Windows Registry settings to **weaken Outlook security** so the malicious project loads automatically at Outlook startup; string decryption uses XOR routines (including a hardcoded `0x3a` key and a rolling XOR key). Reporting attributes the activity to APT28 based on TTP overlaps and notes exploitation was seen **in the wild** shortly after Microsoft issued an emergency fix.
Mar 21, 2026
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
Apr 29, 2026
Stealthy Malware Campaigns Abuse Windows and Office Features for Initial Access and Evasion
Multiple early-2026 campaigns highlight increasingly **low-noise initial access** and **living-off-the-land** execution on Windows endpoints. CyStack reported activity attributed to **APT-Q-27 (GoldenEyeDog)** targeting financial institutions via a corporate support workflow: a user clicked a malicious link delivered through a **Zendesk ticket**, leading to download of an executable masquerading as an image/`.pif` file (aided by Windows’ hidden-extension defaults). The malware was signed with a **revoked certificate** that still appeared trusted due to a valid timestamp, and its modular backdoor/C2 infrastructure overlapped with prior APT-Q-27 activity, enabling stealthy persistence and control without triggering common endpoint alerts. Separately, Securonix described the **Dead#Vax** multistage campaign using phishing links to **VHD files hosted on IPFS**, where mounting/opening the VHD triggers **Windows Script Files**, obfuscated batch, and **PowerShell** loaders to support encrypted data theft and conceal execution logic, culminating in **AsyncRAT** deployment for credential theft, surveillance, and follow-on intrusion. In another targeted operation, Zscaler ThreatLabz linked **Operation Neusploit** to **APT28**, exploiting **CVE-2026-21509** (Microsoft Office/365 **OLE** bypass) via crafted **RTF** documents to drop payloads including **MiniDoor** (Outlook-focused collection and mailbox manipulation, including exfiltration to attacker-controlled email accounts) and **PixyNetLoader** (reported to use steganography). A separate “ThreatsDay” bulletin is a multi-story roundup and does not provide additional, specific corroboration on these same campaigns beyond mentioning adjacent themes (e.g., AsyncRAT/C2) in a broader news digest.
Apr 10, 2026