The Russia-linked risk group UAC-0001, also called APT28, has been actively exploiting a important zero-day vulnerability in Microsoft Workplace.
The group is utilizing this flaw to deploy refined malware towards Ukrainian authorities entities and European Union organizations.
The vulnerability, recognized as CVE-2026-21509, was disclosed by Microsoft on January 26, 2026, with warnings about lively exploitation within the wild.
Inside 24 hours of Microsoft’s public disclosure, risk actors had already weaponized the vulnerability.
Speedy Exploitation After Disclosure
On January 27, 2026, safety researchers found a malicious DOC file titled “Consultation_Topics_Ukraine(Ultimate).doc” containing an exploit for CVE-2026-21509.
chain of injury ( supply : CERT-UA )
The doc was themed round consultations of the Committee of Everlasting Representatives to the EU (COREPER) concerning Ukraine, demonstrating the attackers’ use of geopolitically related social engineering ways.
On January 29, 2026, the Ukrainian Laptop Emergency Response Workforce (CERT-UA) detected a widespread phishing marketing campaign distributing malicious paperwork purporting to be climate bulletins from the Ukrhydrometeorological Middle.
The marketing campaign focused over 60 e mail addresses, primarily belonging to Ukrainian central government our bodies.
Assault Chain and Technical Particulars
When victims open the weaponized doc in Microsoft Workplace, the exploit establishes a community connection to the attacker’s infrastructure by way of the WebDAV protocol.
The content material of paperwork with the exploit ( supply :CERT-UA )
The malware downloads a shortcut file containing executable code that deploys a number of malicious elements, together with “EhStoreShell.dll” and “SplashScreen.png”, containing shellcode.
The assault leverages COM hijacking strategies by modifying Home windows registry entries and creates a scheduled activity named “OneDriveHealth” for persistence.
The ultimate payload is COVENANT, a classy post-exploitation framework that makes use of professional Filen cloud storage (filen.io) for command-and-control communications.
This strategy helps evade detection by mixing malicious visitors with professional cloud service exercise. Extra malicious paperwork concentrating on EU international locations had been found in late January 2026.
In a single case, attackers registered assault infrastructure domains on the identical day because the assault, indicating fast operational capabilities.
CERT-UA safety consultants warn that exploitation makes an attempt are prone to enhance attributable to sluggish patching cycles and customers’ lack of ability to replace Microsoft Workplace installations promptly.
Organizations ought to instantly implement Microsoft’s really helpful registry-based mitigations, monitor community connections to FileCloud storage infrastructure, and block recognized indicators of compromise.
Customers ought to train excessive warning when opening unsolicited Workplace paperwork, notably these with geopolitical or administrative themes.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
