Russian Hackers Exploit Patched Microsoft Office Vulnerability in Cyber Attacks
Recent cybersecurity threats highlight how Russian hackers are exploiting a patched Microsoft Office vulnerability, designated CVE-2026-21509. This zero-day flaw was acknowledged by Microsoft on January 26, 2026, when an emergency update was released.
Details of the Exploit
The Ukrainian Computer Emergency Response Team (CERT-UA) reported that the exploitation of this vulnerability began shortly after Microsoft’s update. Malicious documents themed around EU COREPER consultations in Ukraine were disseminated just three days post-alert. These documents impersonated the Ukrainian Hydrometeorological Center and targeted over 60 government-related email addresses.
Technical Breakdown of the Attack
According to CERT-UA, the malicious documents initiate a WebDAV-based download chain upon being opened. This chain uses COM hijacking and involves multiple components:
- A malicious DLL named EhStoreShell.dll
- Shellcode embedded in the image file SplashScreen.png
- A scheduled task called OneDriveHealth
The exploitation process leads to the termination and restart of the explorer.exe process. This restart facilitates the loading of the EhStoreShell.dll file, which ultimately executes shellcode from the image file, resulting in the deployment of the COVENANT malware framework.
Threat Actor: APT28
These attacks have been attributed to APT28, also known as Fancy Bear or Sofacy. This group is associated with Russia’s General Staff Main Intelligence Directorate (GRU). The COVENANT malware loader has previously been linked to APT28 activities, with past incidents showing similar exploitation tactics.
In addition to targeting Ukraine, subsequent investigations have indicated that APT28 used three more documents in campaigns against various EU organizations. Notably, the domains supporting these attacks were registered on the same day as the campaigns commenced.
Recommendations for Organizations
Organizations are urged to apply the latest security updates to the following versions of Microsoft Office:
- Microsoft Office 2016
- Microsoft Office 2019
- Microsoft Office LTSC 2021
- Microsoft Office LTSC 2024
- Microsoft 365 Apps
For Office 2021 and newer versions, ensure that users restart their applications to apply the updates effectively. If immediate patching is not feasible, implementing registry-based mitigation instructions is recommended to help counteract this threat.
Additional Defensive Measures
Microsoft has stated that using Defender’s Protected View can provide an additional security layer. This feature blocks potentially harmful Office files from the Internet unless they are explicitly marked as trustworthy. Organizations are encouraged to monitor connections to platforms like Filen (filen.io) used for command-and-control operations, which can enhance their defense against these ongoing threats.
In conclusion, staying vigilant and applying necessary updates is crucial for organizations to protect against the rising tide of cyber threats, especially in light of evolving malware tactics employed by groups such as APT28.
