APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks
The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit.
Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug.
The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it.
The Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, along with Google Threat Intelligence Group (GTIG), have been credited with discovering and reporting the flaw.
“Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries,” security researchers Sudeep Singh and Roy Tay said. “The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.”
The attack chains, in a nutshell, entail the exploitation of the security hole by means of a malicious RTF file to deliver two different versions of a dropper, one that’s designed to drop an Outlook email stealer called MiniDoor, and another, referred to as PixyNetLoader, that’s responsible for the deployment of a Covenant Grunt implant.
The first dropper acts as a pathway for serving MiniDoor, a C++-based DLL file that steals a user’s emails in various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is assessed to be a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025.
In contrast, the second dropper, i.e., PixyNetLoader, is used to initiate a much more elaborate attack chain that involves delivering additional components embedded into it and setting up persistence on the host using COM object hijacking. Among the extracted payloads are a shellcode loader (“EhStoreShell.dll”) and a PNG image (“SplashScreen.png”).
The primary responsibility of the loader is to parse shellcode concealed using steganography within the image and execute it. That said, the loader only activates its malicious logic if the infected machine is not an analysis environment and when the host process that launched the DLL is “explorer.exe.” The malware stays dormant if the conditions are not met.
The extracted shellcode, ultimately, is used to load an embedded .NET assembly, which is nothing but a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework. It’s worth noting that APT28’s use of the Grunt Stager was highlighted by Sekoia in September 2025 in connection with a campaign named Operation Phantom Net Voxel.
“The PixyNetLoader infection chain shares notable overlap with Operation Phantom Net Voxel,” Zscaler said. “Although the earlier campaign used a VBA macro, this activity replaces it with a DLL while retaining similar techniques, including (1) COM hijacking for execution, (2) DLL proxying, (3) XOR string encryption techniques, and (4) Covenant Grunt and its shellcode loader embedded in a PNG via steganography.”
The disclosure coincides with a report from the Computer Emergency Response Team of Ukraine (CERT-UA) that also warned of APT28’s abuse of CVE-2026-21509 using Word documents to target more than 60 email addresses associated with central executive authorities in the country. Metadata analysis reveals that one of the lure documents was created on January 27, 2026.
“During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut file name containing program code designed to download and run an executable file,” CERT-UA said.
This, in turn, triggers an attack chain that’s identical to PixyNetLoader, resulting in the deployment of the COVENANT framework’s Grunt implant.
First Appeared on
Source link
