Ethical Hacking News
Russian-state hackers have exploited a critical Microsoft Office vulnerability to compromise devices inside diplomatic, maritime, and transport organizations in more than half a dozen countries. Trellix has attributed the campaign to APT28 with "high confidence" based on technical indicators and target selection.
APT28 attributed for a recent campaign of attacks using a Microsoft Office vulnerability. Attack began on January 28 with a 72-hour spear phishing campaign targeting defense ministries, transportation operators, and diplomatic entities in nine countries. APT28 exploited CVE-2026-21509 vulnerability patched by Microsoft less than 48 hours after its release. Attack used a novel and stealthy approach with advanced exploit installing backdoor implants for full system reconnaissance and persistence. Backdoor implant monitored email folders, bundled messages into a Windows .msg file, and sent them to attacker-controlled cloud accounts. Use of cloud services for command and control channels emphasized APT28's focus on stealth and speed. Trellix attributed the campaign to APT28 based on technical indicators and targeting consistent with their profile. Attack highlights importance of rapid patching and vigilance in defending against state-sponsored attacks.
In a brazen cyberattack, researchers at security firm Trellix have attributed a recent campaign of attacks to APT28, a group known for its sophisticated and relentless efforts in cyber espionage. The attack, which involved the exploitation of a critical Microsoft Office vulnerability, highlights the rapid pace at which state-aligned actors are weaponizing new vulnerabilities, leaving defenders with limited time to patch critical systems.
The attack began on January 28, when APT28 launched a 72-hour spear phishing campaign that delivered at least 29 distinct email lures to organizations in nine countries, primarily in Eastern Europe. The targeted entities included defense ministries, transportation/logistics operators, and diplomatic entities, with a total of 40% belonging to the first category.
According to Trellix, APT28 exploited the CVE-2026-21509 vulnerability, which was patched by Microsoft less than 48 hours after its release. This rapid exploitation demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems.
The attack utilized a novel and stealthy approach, with APT28 writing an advanced exploit that installed one of two never-before-seen backdoor implants. These implants provided full system reconnaissance, persistence through injecting processes into Windows svchost.exe, and an opening for lateral movement to other systems inside the infected network.
In addition to its persistence capabilities, the NotDoor backdoor implant monitored email folders, including Inbox, Drafts, Junk Mail, and RSS Feeds. It bundled messages into a Windows .msg file, which would then be sent to attacker-controlled accounts set up on cloud service filen.io. To evade security controls on high-privilege accounts that restrict access to sensitive documents, the macro processed emails with a custom "AlreadyForwarded" property and set "DeleteAfterSubmit" to true, purging forwarded messages from the Sent Items folder.
The use of cloud services for command and control channels further emphasizes APT28's focus on stealth and speed. Command channels were hosted in legitimate cloud services that are typically allow-listed inside sensitive networks, making it difficult for defenders to detect the attack.
Trellix noted that the campaign was carefully designed to leverage trusted channels and fileless techniques, effectively hiding in plain sight. The use of encrypted payloads and in-memory execution made it challenging for endpoint protection systems to detect the malice.
In a statement, Trellix stated, "The tradecraft in this campaign—multi-stage malware, extensive obfuscation, abuse of cloud services, and targeting of email systems for persistence—reflects a well-resourced, advanced adversary consistent with APT28's profile." This attribution is supported by technical indicators and the targets selected, which Trellix believes align with APT28's fingerprint.
The attack highlights the importance of rapid patching and vigilance in defending against state-sponsored attacks. As the threat landscape continues to evolve, defenders must remain vigilant and proactive in their efforts to protect critical systems from sophisticated adversaries like APT28.
Related Information:
https://www.ethicalhackingnews.com/articles/APT28-Strikes-Again-Russian-State-Hackers-Exploit-Microsoft-Office-Vulnerability-ehn.shtml
Published: Tue Feb 17 13:15:28 2026 by llama3.2 3B Q4_K_M
