APT28 Exploitation of MSHTML Zero-Day CVE-2026-21513 via Malicious HTML/LNK Files
Akamai reported that Russia-linked APT28 likely exploited CVE-2026-21513 (CVSS 8.8), a high-severity MSHTML security feature bypass, prior to Microsoft’s fix in the February 2026 Patch Tuesday release. Microsoft confirmed the vulnerability was exploited as a zero-day in real-world attacks and credited MSTIC, MSRC, the Office Product Group Security Team, and Google Threat Intelligence Group (GTIG) for reporting it. The issue is described as an Internet Explorer/MSHTML security control bypass that can be triggered when a victim opens a malicious HTML page or LNK (shortcut) file, potentially enabling code execution by causing content to be handled by Windows shell mechanisms.
Technical analysis from Akamai tied the root cause to hyperlink navigation logic in ieframe.dll, where insufficient URL validation can allow attacker-controlled input to reach ShellExecuteExW, enabling execution outside the browser sandbox. Akamai identified an exploit-related artifact (described as document.doc.LnK.download) uploaded to VirusTotal on January 30, 2026, and associated it with infrastructure linked to APT28; reporting also noted the sample had been flagged by CERT-UA in the context of APT28 activity. Overall, the reporting indicates active pre-patch exploitation and reinforces the need to prioritize patching and to monitor for delivery vectors involving HTML and LNK attachments/links consistent with APT28 tradecraft.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Akamai links MSHTML zero-day exploitation to APT28
Akamai reported that Russia-linked APT28 likely exploited CVE-2026-21513 before Microsoft's patch, based on analysis of the January sample and related infrastructure. The researchers also disclosed technical details showing insufficient URL validation in ieframe.dll could bypass Mark-of-the-Web and Internet Explorer Enhanced Security Configuration, allowing execution outside the browser sandbox.
Microsoft patches CVE-2026-21513 in February Patch Tuesday
Microsoft fixed CVE-2026-21513, a high-severity MSHTML security feature bypass flaw, in its February 2026 Patch Tuesday updates. The company said the vulnerability had been exploited as a zero-day in real-world attacks and credited MSTIC, MSRC, the Office security team, and Google GTIG for reporting it.
Exploit sample for CVE-2026-21513 uploaded to VirusTotal
A malicious sample later tied to exploitation of CVE-2026-21513 was uploaded to VirusTotal on 2026-01-30. Akamai linked the artifact, including communication with wellnesscaremed[.]com, to infrastructure associated with APT28.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Oracle EBS breach hits Madison Square Garden | brief | SC Media
scworld.com
Open sourceAPT28 attacks involving MSHTML zero-day precede fixes | brief | SC Media
scworld.com
Open sourceRussia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch
securityaffairs.com
Open sourceAPT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed **59 vulnerabilities** across Windows, Azure, Microsoft Office, and Visual Studio Code, including **5 Critical** issues. NSFOCUS reported that **six vulnerabilities were already being exploited in the wild**, including **MSHTML Framework Security Feature Bypass (CVE-2026-21513)**, **Windows Shell Security Feature Bypass (CVE-2026-21510)**, **Microsoft Word Security Feature Bypass (CVE-2026-21514)**, **Desktop Window Manager EoP (CVE-2026-21519)**, **Windows Remote Access Connection Manager DoS (CVE-2026-21525)**, and **Windows Remote Desktop Service EoP (CVE-2026-21533)**. Akamai attributed active exploitation of **CVE-2026-21513** to **APT28**, reporting the flaw affects all supported Windows versions and enables a **security feature bypass leading to arbitrary file execution** (CVSS **8.8**). Akamai’s root-cause analysis placed the issue in `ieframe.dll`, in the `_AttemptShellExecuteForHlinkNavigate` hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking `ShellExecuteExW`, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as `document.doc.LnK.download`) to APT28-associated infrastructure and described use of a crafted **`.lnk`** that embeds an HTML file and contacts **`wellnesscaremed[.]com`** as part of the exploitation chain prior to Microsoft’s February patch release.
Mar 22, 2026
Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited **MSHTML (Trident) security feature bypass** tracked as **CVE-2026-21513** (CVSS **8.8**), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on **social engineering** to get a user to open specially crafted content—such as malicious HTML or shortcut (`.lnk`) files—delivered via email attachments, links, or downloads; the weakness is described as a **protection mechanism failure** (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation. CISA added **CVE-2026-21513** to the **Known Exploited Vulnerabilities (KEV)** catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of **2026-03-03**, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—**Microsoft Word OLE mitigation bypass** (**CVE-2026-21514**) and a **Windows Desktop Window Manager (dwm.exe) privilege escalation** (**CVE-2026-21519**)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
Mar 21, 2026
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
Apr 29, 2026