Key Points
- APT28, a Russia-linked group, is leveraging a Microsoft Office vulnerability in targeted attacks.
- The flaw, identified as CVE-2026-21509, is being used to deploy malware in Ukraine, Slovakia, and Romania.
- Attack methodologies include social engineering and advanced evasion techniques.
Introduction to APT28’s Latest Campaign
The cyber threat group known as APT28 has been identified in a series of sophisticated cyberattacks exploiting a newly discovered vulnerability in Microsoft Office. This vulnerability, known as CVE-2026-21509, has a CVSS score of 7.8, indicating its high severity. The attacks, part of an operation named Neusploit, began on January 29, 2026, shortly after Microsoft released details about the flaw.
Targeting users in Ukraine, Slovakia, and Romania, APT28 utilized social engineering tactics to launch their attack. The strategy involved crafting deceptive documents in multiple languages, including English, Romanian, Slovak, and Ukrainian, aiming to exploit the loophole in Microsoft Office software.
Technical Breakdown of the Attack
The attack leverages a malicious RTF file to exploit the Microsoft Office vulnerability. This file serves as a conduit for two distinct malware droppers: MiniDoor and PixyNetLoader. MiniDoor, a C++-based DLL, is designed to exfiltrate emails from various folders to predetermined email addresses. This tool is believed to be a simplified version of an earlier malware known as NotDoor.
PixyNetLoader, on the other hand, initiates a more complex attack sequence. It employs COM object hijacking to establish persistence on the infected system, embedding additional components such as a shellcode loader and a cleverly disguised PNG image.
- The shellcode loader’s primary function is to extract and execute embedded code hidden within the PNG image through steganography.
- This covert action only proceeds if the malware detects it is not under analysis and is executed by the ‘explorer.exe’ process.
APT28’s Strategic Use of Covenant Framework
APT28’s attack chain culminates in deploying a Grunt implant from the open-source .NET COVENANT command-and-control framework. This approach mirrors aspects of a previous campaign, Operation Phantom Net Voxel, which Sekoia documented in 2025. Notably, the current attack replaces VBA macros with DLLs but retains techniques such as COM hijacking and string encryption.
In parallel, a report from the Computer Emergency Response Team of Ukraine (CERT-UA) has highlighted APT28’s exploitation of this vulnerability using Word documents. This campaign targeted over 60 email addresses linked to Ukrainian governmental authorities. Analysis shows that one of the documents was created on January 27, 2026, underscoring the organized nature of the operation.
Conclusion
APT28’s ongoing exploitation of the Microsoft Office vulnerability, CVE-2026-21509, underscores the persistent threat posed by state-sponsored cyber actors. Their sophisticated tactics and ability to adapt to new technical landscapes make them a formidable opponent in the realm of cybersecurity. Continued vigilance and timely updates to software are crucial in mitigating such threats.
Frequently Asked Questions
- What is APT28?
APT28, also known as UAC-0001, is a state-sponsored threat actor linked to Russia, known for its advanced cyber-espionage campaigns. - What is CVE-2026-21509?
CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office with a high severity score of 7.8. - How does APT28 exploit this vulnerability?
APT28 uses crafted RTF files to exploit the flaw, leading to the deployment of malware droppers like MiniDoor and PixyNetLoader. - Who are the primary targets of these attacks?
The primary targets are users in Ukraine, Slovakia, and Romania, with a focus on governmental and strategic institutions. - What can organizations do to protect themselves?
Organizations should ensure Microsoft Office is updated with the latest security patches and monitor for unusual network activity.
