Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days
Summary
Russia-linked APT28 (aka Fancy Bear) rapidly exploited a newly disclosed Microsoft Office vulnerability, CVE-2026-21509, to run targeted espionage campaigns across Central and Eastern Europe. Microsoft issued an out-of-cycle patch on 26 January; Zscaler says APT28 began active exploitation on 29 January in what it tracks as Operation Neusploit. The threat actor uses malicious RTF documents to trigger the flaw and deliver dropper DLLs that fetch further payloads.
Key Points
- CVE-2026-21509 is a Microsoft Office security feature bypass allowing arbitrary code execution via unsafe COM/OLE behaviour.
- APT28 weaponised the bug within three days of the patch, using crafted RTF files and multilingual phishing lures (English, Romanian, Slovak, Ukrainian).
- Attackers use server-side filtering to serve malicious DLLs only to targeted geographies and expected client headers to limit detection.
- Two dropper variants observed: MiniDoor (VBA-based email stealer for Outlook) and PixyNetLoader (complex loader that can deploy a Covenant Grunt backdoor).
- Indicators of compromise include WebDAV downloads, shellcode hidden in PNGs, Filen.io used for C2, and nested payload chains.
- Mitigations: apply Microsoft’s emergency patch immediately, restart Office apps to activate server-side protections, consider blocking or monitoring Filen.io traffic, and apply Microsoft registry hardenings.
Content Summary
Zscaler researchers detail how Operation Neusploit leverages CVE-2026-21509 to start a multistage infection: an RTF lure triggers COM/OLE behaviour, a dropper DLL (MiniDoor or PixyNetLoader) is delivered, and subsequent payloads either exfiltrate Outlook emails or install a Covenant Grunt backdoor. The campaign uses regionalised phishing and server-side checks to stay low-profile. While the exploit is non-trivial, availability of proof-of-concept code raises the risk that other actors will follow quickly.
Context and Relevance
This is a classic example of how nation-state actors turn zero-days into operational attacks at speed. APT28 has long targeted governments, security firms and critical infrastructure; its ability to weaponise a Microsoft Office zero-day in days underlines persistent risk for organisations that rely on legacy protocols and Office clients. The story ties into wider trends: rapid PoC sharing, increasing use of commodity frameworks (Covenant), and threat actors abusing legitimate cloud services for command-and-control.
Why should I read this
Short and blunt: if your organisation uses Office, this matters now. Fancy Bear didn’t wait — they hammered a zero-day into an email-stealing and backdoor-delivery campaign within 72 hours. Read this to know what to patch, what to watch for, and why restarting Office and blocking Filen.io might save you a painful incident response later.