APT28, Russian based hacking group targeted recently patched Office vulnerability in Microsoft as zero day was patched by the tech giant.

The group is leveraged specially crafted Microsoft Rich Text Format (RTF) files to exploit the vulnerability and deliver malicious backdoors through a multi-stage infection chain. Researchers tracked the Operation ‘Neusploit’,’ representing a significant escalation in APT28’s capabilities and demonstrates their continued focus on high-value targets across Ukraine, Slovakia, and Romania.

Microsoft disclosed the vulnerability as CVE-2026-21509, which was publicly disclosed by Microsoft recently on January 26.

As per findings Ukraine’s Computer Emergency Response Team (CERT-UA) detected exploitation attempts, indicating the zero-day flaw was actively being weaponized.

There has been a massive and fast exploitation as per threat intelligence report by Google Threat Intelligence Group (GTIG). Zscaler, which linked the campaign to APT28 with high confidence based on victimology and TTPs, has observed exploitation of CVE-2026-21509 to deliver a dropper that in turn delivered other malware. Zscaler has seen attacks targeting users in Central and Eastern Europe, including Slovakia, Romania, and Ukraine.

The discloser highlighted urgency with which defenders must respond to newly disclosed vulnerabilities—an aspect often overlooked in cybersecurity protocols.

Key pointers from the attack infiltrating sensitive networks

The attack chain began when an unwitting user opens a malicious document in Microsoft Office.

The attackers utilized the WebDAV protocol, the exploit establishes a connection to external servers, enabling the download of additional malicious payloads.

As per research if successfully executed, it creates a DLL file named “EhStoreShell.dll,” disguised as a legitimate component.

This setup allows attackers to manipulate Windows’ registry to ensure malicious code executes alongside trusted Windows processes.

The malware sets up a scheduled task called “OneDriveHealth,” ensuring that the malicious code runs periodically, thus maintaining persistence within compromised systems.

The attack executes when victims open malicious documents in Microsoft Office:

1. The exploit establishes WebDAV connections to external resources
2. A shortcut file downloads and executes additional payloads
3. The malware drops EhStoreShell.dll (disguised as “Enhanced Storage Shell Extension”) and SplashScreen.png (containing shellcode)
4. COM hijacking modifies Windows registry values for a specific CLSID identifier
5. A scheduled task named “OneDriveHealth” executes periodically, terminating and relaunching Explorer
6. Explorer loads the malicious DLL due to COM hijacking, executing shellcode from the image file
7. The Covenant post-exploitation framework deploys with Filen.io cloud storage as C2

Using legitimate cloud infrastructure for command-and-control makes malicious traffic appear normal and harder to detect.

Emerging Threat & Implication

The attackers deployed the Covenant framework, a post-exploitation tool similar to Cobalt Strike,.

Once done this will take control over compromised systems, utilizing Filen.io—a legitimate cloud storage service—as part of their command-and-control strategy. This added another layer of stealth to their operations.

This approach, often referred to as “living off the land,” complicates detection and response efforts for cybersecurity teams.

If organizations fail to implement emergency patch then many entities similar will be challenged in deploying these updates swiftly across their environments, leaving organisations vulnerable to ongoing threats.

The swift exploitation of CVE-2026-21509 by APT28 is a stark reminder of the vulnerabilities inherent in widely used software like Microsoft Office. CERT-UA is skeptical about the speed of their deployment.

It is obvious that in the near future, including due to the inertia of the process or the impossibility of users updating Microsoft Office, the number of cyberattacks using this vulnerability will begin to increase,” the center warned.

Constant Cybersecurity vigilance is paramount as organizations navigate the complexities of patch management and threat detection to safeguard against advanced persistent threats.

(Sources: Russia’s APT28 Rapidly Weaponizes Newly Patched Office Vulnerability  – SecurityWeek)