Russia-Linked Hackers Exploit New Microsoft Office Zero-Day Flaw
Russia-linked cybercriminals are exploiting a newly discovered zero-day flaw in Microsoft Office, targeting both Ukrainian government agencies and organizations across the European Union. The National Cyber Defense team of Ukraine, known as CERT-UA, has issued a warning about the ongoing attacks tied to this security vulnerability.
Overview of the Zero-Day Flaw
The weakness, identified as CVE-2026-21509, allows attackers to bypass security features in Microsoft Office. Microsoft disclosed this vulnerability last week, along with alerts indicating that it was already being actively exploited in cyberattacks.
Exploitation Timeline
According to CERT-UA, the first malicious document leveraging this exploit surfaced shortly after Microsoft’s announcement. Titled “Consultation_Topics_Ukraine(Final).doc,” the document appeared on January 29, with its metadata indicating creation on January 27, just one day after Microsoft revealed the flaw.
- Document Name: Consultation_Topics_Ukraine(Final).doc
- Date Created: January 27
- Public Appearance: January 29
Phishing Campaign Details
On the same day the malicious document was released, Ukrainian authorities were alerted to a phishing campaign masquerading as correspondence from the Ukrhydrometeorological Center. More than 60 individuals, primarily from central government bodies, received emails containing a harmful DOC attachment.
How the Attack Unfolds
Opening the compromised file initiates a WebDAV connection to an external server. This connection downloads a shortcut file that paves the way for further malware deployment. The attackers then drop a Dynamic Link Library (DLL) disguised as a legitimate Windows component, embedding shellcode within an innocuous-looking image file.
- Malware Type: COVENANT post-exploitation framework
- Attack Mechanism: COM hijacking and scheduled tasks
These techniques allow the attackers to establish persistence on the targeted systems, making it difficult for users to detect any anomalies.
Broader Implications
The malicious activity has not been limited to Ukraine. In late January, CERT-UA identified three additional harmful documents utilizing the same exploit chain to target entities within EU member states. Notably, one domain serving the malicious payload was registered on the same day it was implemented, indicating rapid adaptation by the attackers.
Response and Recommendations
Microsoft has since released patches addressing this vulnerability, including updates for older Office versions. However, CERT-UA expressed skepticism regarding the timely application of these updates.
“Due to the inertia in the update process and the likelihood that users will not implement recommended protections, we expect an increase in cyberattacks exploiting this vulnerability,” CERT-UA cautioned.
Conclusion
With cyberattacks linked to this Office zero-day flaw on the rise, organizations are urged to monitor network traffic closely. Blocking Filen-related traffic wherever possible may help mitigate the threat.
