Executive Summary

CVE-2026-21509 is a critical security feature bypass vulnerability affecting Microsoft Office (CVSS 7.8), which has been weaponized in a sophisticated espionage campaign by the Russian state-sponsored group APT28 (also known as Fancy Bear or UAC-0001). The campaign, tracked as Operation Neusploit, leverages malicious RTF and Word documents to deliver advanced malware payloads, including the MiniDoor email stealer and the Covenant Grunt command-and-control implant. The attacks have been observed targeting government and executive entities in Ukraine, Slovakia, and Romania, with a focus on intelligence collection and persistent access. The exploitation chain demonstrates advanced tradecraft, including security feature bypass, steganography, COM hijacking, and region-specific payload delivery, underscoring the urgent need for immediate patching and enhanced detection measures.

Threat Actor Profile

APT28 is a highly resourced, Russian state-sponsored threat group with a long history of cyber-espionage operations targeting government, military, and diplomatic organizations, primarily in Europe and North America. The group is known for its use of custom malware, spear-phishing, and exploitation of zero-day vulnerabilities. In this campaign, APT28 demonstrates a deep understanding of Microsoft Office internals and leverages multi-stage payloads to maximize stealth and persistence. The group’s operational infrastructure includes geo-fenced payload delivery, advanced anti-analysis techniques, and the use of legitimate cloud services for command and control. Attribution to APT28 is supported by malware code overlaps, infrastructure reuse, and targeting patterns consistent with previous campaigns such as Operation Phantom Net Voxel.

Technical Analysis of Malware/TTPs

The attack chain begins with spear-phishing emails containing malicious RTF or Word attachments, crafted in English, Romanian, Slovak, or Ukrainian to maximize social engineering effectiveness. Upon opening the document, CVE-2026-21509 is exploited to bypass Microsoft Office security features, enabling the execution of embedded code without user consent. The document initiates a WebDAV connection to an attacker-controlled server, from which a shortcut file is downloaded and executed, launching the next stage of the attack.

The primary payloads observed are the MiniDoor and PixyNetLoader droppers. MiniDoor is a C++ DLL designed to harvest emails from the victim’s Inbox, Junk, and Drafts folders, exfiltrating the data to attacker-controlled email addresses such as ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is a streamlined variant of the previously documented NotDoor (GONEPOSTAL) malware, optimized for stealth and rapid data exfiltration.

PixyNetLoader is a sophisticated dropper that deploys a shellcode loader (EhStoreShell.dll) and a PNG image (SplashScreen.png) containing shellcode hidden via steganography. The loader is engineered to activate only when executed by explorer.exe and not within an analysis environment, thwarting automated sandbox detection. The shellcode ultimately loads a .NET-based Covenant Grunt implant, providing the attackers with robust command-and-control capabilities via HTTPS.

Persistence is achieved through COM object hijacking, allowing the malware to survive reboots and evade standard removal techniques. Defense evasion is further enhanced by server-side payload filtering, XOR string encryption, DLL proxying, and the use of steganography to conceal malicious code within seemingly benign image files. The attackers also employ region-specific payload delivery, serving malicious DLLs only to requests originating from targeted geolocations with specific User-Agent headers.

Exploitation in the Wild

The exploitation of CVE-2026-21509 was first observed on January 29, 2026, mere days after the public disclosure and patch release by Microsoft. The campaign rapidly targeted over 60 email addresses belonging to central executive authorities in Ukraine, as well as government entities in Slovakia and Romania. The attackers demonstrated a high degree of operational agility, leveraging the vulnerability to gain initial access and deploy multi-stage malware before widespread detection signatures could be developed. The use of regionally tailored lures and rapid exploitation post-disclosure highlights the group’s capability to operationalize zero-day vulnerabilities at scale.

Victimology and Targeting

The primary targets of this campaign are government and executive authorities in Ukraine, Slovakia, and Romania, with a particular emphasis on entities involved in national security, foreign affairs, and executive decision-making. The attackers employ highly localized spear-phishing lures, increasing the likelihood of successful compromise. The targeting aligns with APT28’s historical focus on Eastern European geopolitical interests and intelligence collection. The campaign’s victimology suggests a strategic intent to gather sensitive communications, policy documents, and internal deliberations from high-value government networks.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2026-21509. All organizations should apply the Microsoft Office security update released on January 26, 2026, across all supported versions, including Microsoft Office 2016, 2019, 2021, 2024, Microsoft 365 Apps for Enterprise, Microsoft 365 Apps for Business, Office LTSC 2021, and Office LTSC 2019. Security teams should monitor for indicators of compromise, including outbound WebDAV connections, suspicious DLL loads, and command-and-control traffic associated with the Covenant framework. User awareness training should be reinforced, emphasizing the risks of opening unsolicited RTF or Word attachments, particularly those in targeted languages. Network controls should be configured to block known malicious domains such as freefoodaid[.]com and wellnesscaremed[.]com, and to monitor for connections to suspicious infrastructure. Advanced endpoint detection and response (EDR) solutions should be deployed to detect COM hijacking, DLL proxying, and steganographic payloads. Incident response plans should be updated to include procedures for rapid containment and forensic analysis of compromised endpoints.

References

The following sources provide additional technical details and context for this advisory:

The Hacker News: APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks

Zscaler ThreatLabz: Operation Neusploit

Security Affairs: Emergency Microsoft update fixes in-the-wild Office zero-day

SOC Prime: CVE-2026-21509

SOCRadar: CVE-2026-21509 APT28 Microsoft Office Ukraine

CERT-UA Advisory: CERT-UA Article 4321

MITRE ATT&CK: APT28

Covenant C2 Framework: GitHub

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to empower security teams with actionable insights and rapid response capabilities. We are committed to helping our clients stay ahead of emerging threats and maintain robust cyber resilience. For any questions or further information, please contact us at ops@rescana.com.