Tech

APT28 Targets with Espionage Malware Exploiting Microsoft Office Vulnerability CVE-2026-21509

Taylor KeatsmanTaylor Keatsman
APT28 Targets with Espionage Malware Exploiting Microsoft Office Vulnerability CVE-2026-21509

The state-sponsored hacking group APT28, also known as UAC-0001, has been linked to a new round of cyberattacks exploiting a vulnerability in Microsoft Office. This campaign, dubbed Operation Neusploit, surfaced shortly after Microsoft announced the flaw.

Microsoft Office Vulnerability CVE-2026-21509

On January 29, 2026, Zscaler ThreatLabz reported that APT28 began utilizing the CVE-2026-21509 vulnerability, which has a CVSS score of 7.8. This security flaw allows unauthorized attackers to use specially crafted Office files to exploit users.

Details of the Attack

The attacks primarily targeted users in Ukraine, Slovakia, and Romania, just three days after the vulnerability was publicly disclosed by Microsoft. The discovery was credited to several groups, including the Microsoft Threat Intelligence Center and Google Threat Intelligence Group.

  • Exploitation Method: Attackers used social engineering tactics to lure victims with messages crafted in English and local languages, including Romanian, Slovak, and Ukrainian.
  • Geographic Targeting: Malicious responses were only sent when user requests came from specific regions with the correct HTTP headers.

Malware Delivery Mechanism

The attack vectors include the use of a malicious Rich Text Format (RTF) file that deploys two types of droppers:

  • MiniDoor: This is an Outlook email stealer that sends stolen emails to two predefined addresses.
  • PixyNetLoader: This dropper initiates a more complex attack sequence, deploying a Grunt implant associated with the COVENANT command-and-control framework.

MiniDoor is believed to be a simplified variant of a previously documented malware, NotDoor. In contrast, PixyNetLoader employs tactics such as COM object hijacking to maintain persistence on the infected systems.

Additional Findings

In addition to the use of RTF files, the Computer Emergency Response Team of Ukraine (CERT-UA) reported that APT28 targeted over 60 email accounts linked to government authorities using Word documents. Metadata analysis revealed the lure document was created shortly before the attacks began, on January 27, 2026.

Opening the malicious document connected users to an external resource via the WebDAV protocol, enabling further exploitation through downloaded executables.

Overall, the attacks illustrate APT28’s advanced tactics, combining social engineering and sophisticated malware delivery techniques.

Related Posts

Switch 2’s NSO Offers Authentic Experience, Vital for Gaming History Lessons

Switch 2’s NSO Offers Authentic Experience, Vital for G...

Taylor Keatsman 3 Feb 2026

“‘Xbox Play Anywhere’ Boosts 2026’s Top Game Amid Others’ Exit”

“‘Xbox Play Anywhere’ Boosts 2026’s Top Game Amid Other...

Taylor Keatsman 3 Feb 2026

Optimize Code Vein II PC Graphics: Balance Performance and Visuals with Our Guide

Optimize Code Vein II PC Graphics: Balance Performance ...

Taylor Keatsman 3 Feb 2026

iPhone Fold to Revolutionize Battery Life and Innovate Button Design

iPhone Fold to Revolutionize Battery Life and Innovate ...

Taylor Keatsman 3 Feb 2026

Google’s Android for PC Launch Faces Potential Controversy and Challenges

Google’s Android for PC Launch Faces Potential Controve...

Taylor Keatsman 3 Feb 2026

Google Home Integrates Button Support at Last

Google Home Integrates Button Support at Last

Taylor Keatsman 3 Feb 2026