In the latest illustration of how quickly attackers can exploit newly disclosed flaws, Russia’s notorious APT28 cyber-espionage group has begun abusing a recently patched Microsoft vulnerability to steal emails and deploy malicious payloads against organizations in Central and Eastern Europe.
CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office for which Microsoft rushed an out-of-cycle patch on Jan. 26 after confirming active zero-day exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its database of known exploited vulnerabilities at the time.
Speedy Exploit
According to Zscaler researchers, APT28 began exploiting the flaw just three days later, on Jan. 29, as part of a campaign they are tracking as Operation Neusploit. The attacks rely on specially crafted Microsoft Rich Text Format (RTF) documents to trigger the vulnerability and kick off a multistage infection chain that delivers different malicious payloads, Zscaler said in a report this week.
To increase the likelihood of success, the threat actor is using phishing lures written in English as well as localized versions of Romanian, Slovak, and Ukrainian. As part of an effort to maintain a low profile, APT28 is employing server-side filtering to deliver malicious data link libraries (DLLs) only when requests originate from targeted geographic regions and also include the expected email or client headers.
“We cannot confirm whether the CVE-2026-21509 exploitation activity observed in the wild by Microsoft is the same as Operation Neusploit,” says Deepen Desai, executive vice president and chief security officer (CSO) at Zscaler, in comments to Dark Reading. “We can confirm that we are actively collaborating with Microsoft and sharing our Operation Neusploit findings.”
A Long-Standing Threat
APT28, also known as Fancy Bear, Sofacy, and Sednit, is a Russia-linked advanced persistent threat (APT) group that the US government and others have linked to Russia’s GRU military intelligence service. The cyberespionage group has been active since at least 2007 and is known for its ability to rapidly weaponize new vulnerabilities and constantly evolve its arsenal of malicious tools. It is associated with numerous attacks on government entities, military organizations, security firms, and critical infrastructure targets in North America, Europe, and elsewhere. Other high profile attacks include a breach of the Democratic National Committee and attacks on the World Anti-Doping Agency.
CVE-2026-21509 is a zero-day vulnerability that allows attackers to trigger unsafe COM/OLE behavior in Microsoft 365 and Office and execute arbitrary code on affected systems. Some security analysts have described the vulnerability as complex to take advantage of and likely to be of interest mainly to state-sponsored actors and financially motivated groups.
APT28 is exploiting the flaw to download a dropper DLL on to victim machines. Zscaler found the threat actor using two variants of the dropper, one of which deploys malware that Zscaler is tracking as MiniDoor and the other dubbed PixyNetLoader, which downloads multiple other malicious payloads.
MiniDoor, according to Zscaler, is a lightweight Visual Basic for Applications (VBA) project designed specifically to steal emails from Microsoft Outlook. MiniDoor, Desai says, “was developed by APT28 for the sole purpose of collecting and exfiltrating victims’ emails.”
PixyNetLoader, the other dropper DLL that APT28 is using in Operation Neusploit, is more complex. The threat actor is using it to deploy multiple nested layers of malicious code that ultimately result in a Covenant Grunt backdoor — originally a penetration testing tool — being loaded on the victim system.
Zscaler’s Desai assesses that it would have taken APT28 a medium to high level of effort to exploit CVE-2026-21509. For the moment at least, there is no indication that other groups have been able to successfully exploit the vulnerability, but that may not last long. “Some researchers have released proof-of-concepts (PoCs) for CVE-2026-21509, so it is highly likely other threat actors will weaponize these PoCs in real-world attacks.”
Mitigate ASAP
He recommends that organizations apply Microsoft’s patch for the flaw as soon as possible to mitigate breach risks.
Noelle Murata, senior security engineer at Xcape, called APT28’s turnaround time for exploiting CVE-2026-21509 “absurd.”
“The attack uses classic techniques with a modern twist: WebDAV downloads, COM hijacking, shellcode hidden in PNGs, and the Covenant framework using Filen cloud storage for C2,” Morata said. “Organizations must update and restart Office immediately. Office 2021 and 365 get server-side protection, but the apps must be restarted to take effect.”
Murata also recommended that organizations monitor or block Filen.io traffic — a legitimate cloud service — to prevent access to APT28’s command-and-communications (C2) infrastructure. Also, they should apply Microsoft’s registry configurations from their advisory, she said. “This is what happens when legacy protocols meet nation-state actors who don’t sleep.”
