Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

APT28's Operation Neusploit: A Russia-Led Campaign Exploiting Microsoft Office Vulnerability



APT28 has launched a new campaign known as Operation Neusploit, exploiting CVE-2026-21509 vulnerability in Microsoft Office to deploy malware and steal user emails. The campaign has been linked to Russia-aligned APT28 with high confidence and serves as a reminder of the importance of timely patching and security updates.

  • The Operation Neusploit campaign exploits a newly disclosed vulnerability in Microsoft Office.
  • APT28 (also known as UAC-0001, Fancy Bear, Pawn Storm, etc.) has been actively engaged in the cyber threat space since at least 2007.
  • The vulnerability CVE-2026-21509 allows unauthorized attackers to bypass OLE security protections and expose users to vulnerable COM/OLE controls.
  • APT28 sent malicious RTF files to unsuspecting victims, which were crafted in various languages to target specific countries.
  • Two primary variants of malware were identified: MiniDoor and PixyNetLoader, which steal emails and load a fake DLL with hidden shellcode.
  • The campaign links to Russia-aligned APT28 with high confidence due to attack vectors, tools, and targets.
  • The evolution of TTPs (Toolset Techniques) by APT28 highlights the importance of timely patching and security updates for widely used software.



    • The cybersecurity landscape has recently witnessed a significant development, courtesy of an APT28-led operation known as Operation Neusploit. This campaign, which has garnered considerable attention from researchers and security experts alike, exploits a newly disclosed vulnerability in Microsoft Office. The APT28 group, also referred to as UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, has been actively engaged in the cyber threat space since at least 2007.

    The Operation Neusploit campaign was first identified by Zscaler ThreatLabz, a renowned cybersecurity firm, in January 2026. The researchers uncovered that APT28 had weaponized CVE-2026-21509, a security feature bypass vulnerability in multiple Office versions. This vulnerability allows an unauthorized attacker to bypass OLE security protections in Microsoft 365 and Office, exposing users to vulnerable COM/OLE controls.

    The attack vector employed by APT28 involved sending malicious RTF files to unsuspecting victims, which were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the specific countries. Upon successful exploitation of CVE-2026-21509, the malware deployed by APT28 began to execute a series of complex attack chains. Two primary variants of malware were identified: MiniDoor and PixyNetLoader.

    MiniDoor, also linked to earlier APT28 operations, is a simplified NotDoor variant that steals user emails and forwards them to attacker-controlled addresses. In contrast, PixyNetLoader is a more sophisticated tool that sets persistence via COM hijacking and scheduled tasks before loading a fake EhStorShell.dll. This DLL extracts hidden shellcode from PNG files using steganography, evades sandboxes, and runs a .NET Covenant Grunt implant in memory, abusing legitimate APIs for command-and-control.

    ThreatLabz links the Operation Neusploit campaign to Russia-aligned APT28 with high confidence, based on the attack vectors, tools employed, and targets. The targets in Central Europe and Eastern Europe match APT28's past focus on this region. Furthermore, the infrastructure reused by APT28 mirrors previous campaigns, combining COM hijacking, DLL proxying, XOR-encrypted strings, and PNG-embedded Covenant Grunt shellcode.

    The evolution of TTPs (Toolset Techniques) by APT28 is also noteworthy, as the group continues to weaponize vulnerabilities in popular applications such as Microsoft Office. This campaign serves as a stark reminder of the importance of timely patching and security updates for widely used software.

    In light of this new development, security professionals and organizations are advised to exercise extreme caution when handling Microsoft Office files, especially those from unknown sources. Furthermore, regular updates and patches should be applied promptly to prevent potential exploitation of known vulnerabilities.

    The APT28 group's involvement in Operation Neusploit underscores the need for sustained vigilance in addressing the evolving threat landscape. As cybersecurity threats continue to evolve, it is essential for organizations and individuals alike to remain vigilant and proactive in their security measures.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/APT28s-Operation-Neusploit-A-Russia-Led-Campaign-Exploiting-Microsoft-Office-Vulnerability-ehn.shtml

  • https://securityaffairs.com/187581/apt/apt28-exploits-microsoft-office-flaw-in-operation-neusploit.html

  • https://nvd.nist.gov/vuln/detail/CVE-2026-21509

  • https://www.cvedetails.com/cve/CVE-2026-21509/

  • https://www.msn.com/en-us/news/technology/security-researchers-uncover-apt28-campaign-exploiting-newly-disclosed-microsoft-office-flaw/ar-AA1VyZeo

  • https://en.wikipedia.org/wiki/Fancy_Bear

  • https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/

  • https://attack.mitre.org/groups/G0007/

  • https://cyble.com/threat-actor-profiles/sofacy/

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108

  • https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html

  • https://cybersecuritynews.com/bluedelta-hackers-attacking-users/


    • Published: Tue Feb 3 15:24:22 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us