Ethical Hacking News
Cybersecurity experts have warned about the recent exploitation of a newly disclosed Microsoft Office vulnerability by Russia-linked APT28 to carry out espionage-focused malware attacks. The group, known for its sophisticated tactics, has weaponized CVE-2026-21509 to deliver threats that include Outlook email stealers and COVENANT framework implants. This campaign highlights the ongoing threat landscape and underscores the need for continued vigilance against zero-day vulnerabilities.
Threat actor APT28 (Russia-linked) leveraged CVE-2026-21509 vulnerability in Microsoft Office for sophisticated espionage-focused malware attacks. The malicious campaign, codenamed Operation Neusploit, targeted users in Ukraine, Slovakia, and Romania with socially engineered lures. The attack chain used server-side evasion techniques, including responding to requests from specific geographic regions and User-Agent HTTP headers. Malware delivered included MiniDoor (email stealer) and PixyNetLoader (Covenant Grunt implant), which deployed a series of attacks with persistence on the host using COM object hijacking. The attack chain shared similarities with Operation Phantom Net Voxel, another APT28 campaign using a different approach with VBA macro. Further investigation revealed that these attacks also targeted central executive authorities in Ukraine with Word documents and WebDAV protocol attacks.
Threat actors, specifically Russia-linked APT28 (also known as UAC-0001), have recently leveraged a newly disclosed security flaw in Microsoft Office to carry out sophisticated espionage-focused malware attacks. According to recent reports from Zscaler ThreatLabz, the group weaponized CVE-2026-21509, a security feature bypass vulnerability in Microsoft Office that allows an unauthorized attacker to send a specially crafted Office file and trigger it. This vulnerability holds a CVSS score of 7.8, indicating its high severity.
The malicious campaign codenamed Operation Neusploit was observed by Zscaler ThreatLabz on January 29, 2026, targeting users in Ukraine, Slovakia, and Romania — countries where social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the specific user demographics. These lure documents were designed to deceive users into opening malicious Office files, triggering a series of attacks that utilize server-side evasion techniques.
The threat actor used a combination of techniques to execute their attack chain, including server-side evasion, where they responded with malicious DLLs only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header. Once an infected user opened the malicious file, it delivered two different versions of a dropper — one designed to drop an Outlook email stealer called MiniDoor and another referred to as PixyNetLoader that deployed a Covenant Grunt implant.
MiniDoor is a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025. This malware steals emails from various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. PixyNetLoader, on the other hand, is used to initiate an elaborate attack chain that involves delivering additional payloads embedded into it and setting up persistence on the host using COM object hijacking.
The primary responsibility of PixyNetLoader is to parse shellcode concealed within a PNG image ("SplashScreen.png") and execute it. However, this malicious logic only activates if the infected machine is not an analysis environment and when the host process that launched the DLL is "explorer.exe." The extracted shellcode ultimately loads an embedded .NET assembly — a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework. This usage of APT28's Grunt Stager was previously highlighted by Sekoia in September 2025.
Interestingly, Zscaler pointed out that "The PixyNetLoader infection chain shares notable overlap with Operation Phantom Net Voxel." — another campaign used by APT28, which notably employed a different approach using a VBA macro. This similarity highlights the adaptability of threat actors as they continually evolve their tactics to evade detection.
Further investigation by CERT-UA revealed that these attacks were also utilizing Word documents targeting more than 60 email addresses associated with central executive authorities in Ukraine. Metadata analysis showed that one lure document was created on January 27, 2026. Upon opening this document using Microsoft Office, it led to establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut containing program code designed to download and run an executable file.
This triggers an attack chain identical to PixyNetLoader, resulting in the deployment of the COVENANT framework's Grunt implant. This campaign is a stark reminder of the importance of staying vigilant against zero-day vulnerabilities and the evolving tactics employed by state-sponsored threat actors such as APT28.
Related Information:
https://www.ethicalhackingnews.com/articles/APT28-Exploits-Microsoft-Office-Vulnerability-to-Carry-Out-Espionage-Focused-Malware-Attacks-ehn.shtml
https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html
https://www.securityweek.com/russias-apt28-rapidly-weaponizes-newly-patched-office-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2026-21509
https://www.cvedetails.com/cve/CVE-2026-21509/
https://thecyberexpress.com/russian-apt28-exploit-zero-day-cve-2026-21509/
https://attack.mitre.org/groups/G0007/
Published: Tue Feb 3 14:50:31 2026 by llama3.2 3B Q4_K_M
