Ethical Hacking News
Russian hackers have exploited a recently patched vulnerability in Microsoft Office to launch a wave of sophisticated attacks, highlighting the need for users and organizations to prioritize software updates and caution when opening emails or documents from unknown sources.
Russian hackers exploited a recently patched vulnerability in Microsoft Office (CVE-2026-21509) to launch sophisticated attacks. The malicious documents were distributed via email and targeted EU COREPER consultations in Ukraine. The attackers used COM hijacking, a malicious DLL, shellcode hidden in an image file, and a scheduled task to install malware. The malware was linked to APT28 (Fancy Bear), a nation-state threat actor associated with Russia's GRU. Monitoring Filen cloud storage service for connections can help improve defense against this threat. Users and organizations are advised to apply the latest security update on Microsoft Office 2016-2024 and Microsoft 365 Apps. For Office 2021 and later, users should restart applications to allow updates to be applied, or implement registry-based mitigation instructions.
In a recent development that highlights the ongoing cat-and-mouse game between cybersecurity experts and nation-state threat actors, Ukraine's Computer Emergency Response Team (CERT) has reported that Russian hackers have exploited a recently patched vulnerability in multiple versions of Microsoft Office to launch a series of sophisticated attacks. The vulnerability, identified as CVE-2026-21509, was marked as actively exploited by Microsoft just three days after its release on January 26.
According to CERT-UA, the agency that monitored the incident, the malicious documents were distributed via email and were themed around EU COREPER consultations in Ukraine. However, the metadata associated with the document revealed that it was created one day after the emergency update, indicating that the attackers had been aware of the vulnerability for some time before distributing the malicious files.
The attacks involved opening the malicious document, which triggered a WebDAV-based download chain that installed malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The malware loader used was linked to APT28, a nation-state threat actor also known as Fancy Bear and Sofacy, which has been associated with Russia's General Staff Main Intelligence Directorate (GRU).
The COVENANT software framework, which is believed to be the payload of the malware, uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. Monitoring for connections associated with the platform or blocking them completely can help improve defense against this threat.
Subsequent investigations revealed that APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine. In one observed case, the domains supporting the attacks were registered on the same day, suggesting a coordinated effort by the attackers to spread the malware.
Microsoft had previously stated that Defender's Protected View adds an extra layer of defense by blocking malicious Office files originating from the Internet unless explicitly trusted. However, the CERT-UA report highlights the need for users and organizations to apply the latest security update on Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps.
For Office 2021 and later, users are recommended to restart applications to allow the updates to be applied. If immediate patching is impossible, implementing registry-based mitigation instructions can help mitigate the risk of infection.
The incident serves as a reminder of the importance of keeping software up-to-date and being cautious when opening emails or documents from unknown sources. It also highlights the ongoing efforts by cybersecurity experts to track and counter nation-state sponsored threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Exploit-Recently-Patched-Microsoft-Office-Bug-to-Launch-Wave-of-Sophisticated-Attacks-ehn.shtml
Published: Mon Feb 2 15:11:46 2026 by llama3.2 3B Q4_K_M
