Russian cyber actors, known as APT28, are conducting a sophisticated cyber espionage campaign targeting key government and military sectors in Europe. These attacks focus on maritime and transport organizations within countries such as Poland, Ukraine, and Turkey.
Exploitation of Microsoft Office Vulnerability
APT28 is exploiting a critical vulnerability in Microsoft Office, identified as CVE-2026-21509. This flaw allows attackers to bypass defenses and execute harmful code on affected systems effortlessly. The attack begins with highly targeted spear-phishing emails, which are crafted to resemble urgent official communications.
These emails use geopolitical themes, such as alerts about weapons smuggling or military training invitations, to deceive recipients. Upon opening the malicious document, the exploit activates automatically without requiring user interaction, making it particularly effective against defense and diplomatic targets.
Rapid Deployment and Stealth Techniques
Analysts at Trellix discovered this malicious activity and noted the adversary’s rapid response, weaponizing the vulnerability within 24 hours of its disclosure. The attack documents contain embedded objects that use the WebDAV protocol to fetch external payloads from attacker-controlled servers, masking malicious traffic as legitimate web requests.
Upon exploiting the vulnerability, APT28 deploys custom malware, such as the “BeardShell” C++ implant and an Outlook backdoor named “NotDoor.” These tools enable persistent access, intelligence theft, and lateral movement within the victim’s network. The use of legitimate cloud services for command and control complicates detection further.
Advanced Evasion Tactics
The infection chain is designed for stealth and resilience, using multiple layers of obfuscation to evade security measures. After the initial breach, a loader retrieves an encrypted image file that contains hidden shellcode, executing the BeardShell backdoor directly in memory and avoiding detection by traditional antivirus solutions. The malware also employs anti-analysis techniques, such as timing checks, to evade security sandboxes.
APT28 also uses the legitimate cloud service filen.io to manage its command and control communications, blending malicious traffic with regular user data. Organizations are urged to apply emergency Office patches and restrict the WebDAV protocol. Implementing strict email filtering can also block initial attack vectors.
Stay informed with our latest updates by following us on Google News, LinkedIn, and X, and set CSN as your preferred source in Google.
