Russia-linked APT28 rapidly weaponizes Microsoft Office flaw for espionage

A Russia-linked espionage group is exploiting a newly disclosed Microsoft Office vulnerability to deliver modular malware that targets governments, diplomatic services, and transport and maritime organizations across Central and Eastern Europe.

Security vendors report the group commonly known as APT28 or Fancy Bear used spear-phishing emails with weaponized RTF and Word documents that trigger code execution when opened, without requiring macros. Microsoft publicly disclosed and patched the flaw, tracked as CVE-2026-21509 with a 7.8 CVSS score, on Jan. 26, 2026. Security tables circulating among defenders list an EPSS of 2.91 percent for the vulnerability.

Vendors differ on precisely how fast the group began exploiting the flaw. Trellix researchers, quoted by Industrialcyber, said APT28 “moved quickly, weaponizing a newly disclosed Microsoft Office one-day vulnerability, CVE-2026-21509, within 24 hours of its public disclosure.” Zscaler ThreatLabz, which named the campaign Operation Neusploit, reported observing active exploitation on Jan. 29, three days after Microsoft’s patch. A lure document’s metadata reviewed by CERT-UA shows a creation date of Jan. 27, further complicating the timeline.

The exploit abuses trusted Office functionality. Trellix researchers Pham Duy Phuc and Alex Lanstein describe the attack vector succinctly: “APT28’s attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509, a Microsoft Office security feature bypass vulnerability.” They added that “this vulnerability was addressed by an urgent, out-of-band security update. When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction. The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure.”

Once initial access is gained the operation shifts to low-noise, fileless techniques and multi-stage loaders. Vendors have observed a DLL-based loader, dubbed PixyNetLoader, which employs COM hijacking, DLL proxying, XOR string obfuscation and even steganographic shellcode hidden in PNG files. An Outlook-focused implant called MiniDoor has been tied to the campaign; SecurityAffairs, reporting Zscaler’s analysis, warned that “MiniDoor’s primary goal is to steal the user’s emails and forward them to the threat actor.” Trellix also reported cloud-based command-and-control channels and an Outlook backdoor used to exfiltrate messages.

Targets named in vendor write-ups include Ukraine, Slovakia, Romania and other European countries, plus EU institutions; Trellix’s summary lists additional hits in Poland, Slovenia, Turkey, Greece and the United Arab Emirates. CERT-UA reported that more than 60 email addresses tied to central executive authorities in Ukraine were targeted.

Security analysts say the campaign underlines the danger of rapid exploit adoption and the limits of conventional severity scores. “While a 7.8 CVSS score doesn't seem so bad on paper, APT28 has been able to chain a 7.8 rated exploit with social engineering and a near perfect delivery mechanism in Microsoft Office to create an extremely effective exploit,” said Andi Ursry, a threat intelligence analyst at Blackpoint Cyber, as quoted in reporting on the campaign.

Vendors are urging defenders to apply Microsoft’s out-of-band update immediately, restrict macro and script execution in Office, and monitor for abnormal post-exploitation behavior such as credential abuse, unexpected Outlook forwarding and in-memory backdoors. Security teams should also seek vendor-provided indicators of compromise and consult CERT advisories before publicly naming or sharing specific victim details.