Today's cybersecurity headlines are brought to you by ThreatPerspective

Unveiling the Dark Side of Cyber Warfare: APT28 Exploits MSHTML Zero-Day Vulnerability Before Patch

A Russia-linked APT28 group has successfully exploited a newly discovered zero-day vulnerability in Microsoft's MSHTML browser component, leaving numerous organizations vulnerable to attack before Microsoft had issued a patch. The incident highlights the importance of timely patching and the need for organizations to remain vigilant in protecting themselves against evolving cyber threats.

This week, a disturbing revelation emerged from the world of cyber warfare, shedding light on the cunning tactics employed by Russia-linked APT28 to exploit a high-severity zero-day vulnerability in Microsoft's MSHTML browser component. The vulnerability, identified as CVE-2026-21513, was exploited by APT28 before Microsoft had issued a patch, leaving countless organizations vulnerable to potential attacks.

According to reports from Akamai, a leading cybersecurity firm, the exploitation of this zero-day vulnerability was carried out by Russia-linked APT28, an active threat actor known for its sophisticated tactics and malicious activities. The vulnerability in question is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file.

Researchers from Akamai used PatchDiff-AI to analyze the root cause of the issue and traced CVE-2026-21513 to hyperlink navigation logic in ieframe.dll. They found that poor URL validation lets attackers input reach ShellExecuteExW, enabling code execution outside the browser sandbox. The researchers also identified an exploit sample, document.doc.LnK.download, uploaded in January 2026 and linked to APT28 infrastructure.

"By correlating the vulnerable code path with public threat intelligence, we identified a sample that was leveraging this functionality: document.doc.LnK.download," reads the report published by Akamai. "The sample was first submitted to VirusTotal on January 30, 2026, shortly before February’s Patch Tuesday, and is associated with infrastructure linked to APT28, an active Russian state-sponsored threat actor."

The payload uses a specially crafted Windows Shortcut (.lnk) that embeds an HTML file directly after the standard LNK structure. When executed, it connects to wellnesscaremed[.]com, a domain attributed to APT28 and widely used in the campaign’s multistage activity. The exploit relies on nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC).

"While the observed campaign leverages malicious .LNK files, the vulnerable code path can be triggered through any component embedding MSHTML. Therefore, additional delivery mechanisms beyond LNK-based phishing should be expected," concludes the report.

Microsoft addressed the issue by tightening hyperlink protocol validation to prevent file://, http://, and https:// links from reaching ShellExecuteExW. The incident highlights the importance of timely patching and the need for organizations to remain vigilant in protecting themselves against evolving cyber threats.