Key Points
- APT28 targets Central and Eastern Europe using a Microsoft Office flaw.
- Operation Neusploit involves sophisticated malware delivery techniques.
- Zero-day vulnerability allows remote code execution.
APT28, a notorious cyber threat group linked to Russia, has launched a sophisticated campaign leveraging a zero-day vulnerability in Microsoft Office. This attack targets countries in Central and Eastern Europe, using advanced techniques to infiltrate systems and deploy malware.
Exploiting Microsoft Office Vulnerability
The cyber attackers have utilized specially crafted Microsoft Rich Text Format (RTF) files to exploit the vulnerability, leading to a multi-stage infection process. This operation, identified as Operation Neusploit, highlights an escalation in APT28’s tactics, focusing on high-value targets in Ukraine, Slovakia, and Romania.
Users are lured into opening malicious RTF documents sent via socially engineered emails. These emails are crafted in various languages, including English, Romanian, Slovak, and Ukrainian, to enhance their effectiveness. When the document is opened, the vulnerability is activated, allowing the execution of arbitrary code without the user’s knowledge.
Infection Chain and Malware Deployment
The attack involves two distinct dropper malware variants, each designed to deliver different payloads to infected systems. One variant installs MiniDoor, a tool that steals emails by monitoring Outlook login events. It sends the harvested emails to predetermined addresses controlled by the attackers.
For persistence, the malware alters Windows registry settings to bypass Outlook’s security measures, ensuring the malicious macro loads with each application launch. The vulnerability, identified as CVE-2026-21509, is critical and affects the Microsoft Office RTF Handler.
Advanced Evasion Techniques
The second variant of the dropper installs PixyNetLoader, paving the way for the Covenant Grunt implant, which provides attackers with command-and-control functionalities. These variants employ server-side evasion, only serving payloads to requests from specific regions, making detection and analysis difficult for cybersecurity experts globally.
This campaign was identified by Zscaler analysts in January 2026, with exploitation observed shortly after Microsoft issued a security update on January 26, 2026, to address this critical vulnerability.
Conclusion
The APT28 operation underscores the critical need for robust cybersecurity measures, especially in regions targeted by sophisticated threat groups. The exploitation of zero-day vulnerabilities remains a significant challenge for organizations worldwide, necessitating ongoing vigilance and timely updates.
Frequently Asked Questions
- What is APT28?
APT28 is a cyber threat group allegedly linked to Russia, known for targeting high-value entities.
- What is a zero-day vulnerability?
It is a security flaw unknown to the vendor, exploited by attackers before a patch is available.
- How does APT28 deliver its malware?
They use socially engineered emails with malicious RTF documents to exploit vulnerabilities.
- What regions does this attack target?
The campaign focuses on Central and Eastern Europe, specifically Ukraine, Slovakia, and Romania.
- How can organizations protect themselves?
Regularly update software, employ strong security measures, and educate users about phishing attacks.
