APT28 Exploits Microsoft Office Zero-Day in Targeted Espionage Attacks

Security researchers have confirmed active exploitation of a critical Microsoft Office vulnerability by the Russia-linked APT28 threat group (also tracked as UAC-0001). Designated CVE-2026-21509 (CVSS 7.8), this security feature bypass flaw enables attackers to execute malicious code via specially crafted Office documents. The campaign, dubbed Operation Neusploit by Zscaler ThreatLabz, specifically targets government and organizational entities in Ukraine, Slovakia, and Romania.

Attack Chain Mechanics

APT28's attack chain begins with weaponized RTF files distributed through geographically tailored phishing lures:

• Geofencing Evasion: Malicious payloads only deploy when victims originate from targeted regions (Ukraine, Slovakia, Romania) with specific browser signatures
• Dual Payload Strategy:
  1. MiniDoor: Lightweight DLL stealer harvesting Outlook emails (Inbox/Junk/Drafts) sent to actor-controlled addresses (ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me)
  2. PixyNetLoader: Advanced dropper deploying Covenant Grunt implants via multi-stage execution:
     • Uses COM hijacking for persistence
     • Embeds shellcode within PNG files via steganography (SplashScreen.png)
     • Executes only when host process is explorer.exe (evading analysis environments)

Technical Connections to Historical Campaigns

This operation shares significant overlap with APT28's September 2025 Operation Phantom Net Voxel, documented by Sekoia. While replacing VBA macros with DLL-based execution, attackers maintained four core techniques:

1. COM hijacking persistence
2. DLL proxying
3. XOR-based string encryption
4. Covenant Grunt deployment via steganographic payloads

The Covenant C2 framework, an open-source offensive tool, provides attackers with flexible command-and-control capabilities. The Ukrainian CERT confirms identical attacks against 60+ government email addresses using weaponized Word documents pulling payloads via WebDAV protocols.

Defense Recommendations

Organizations should implement these protective measures immediately:

1. Patch Enforcement: Apply Microsoft's emergency update for CVE-2026-21509 across all Office installations
2. Email Filtering: Block RTF attachments and WebDAV protocol requests at network perimeter
3. Behavior Monitoring: Detect suspicious Office child processes spawning explorer.exe or accessing PNG files
4. User Training: Educate staff on identifying localized phishing lures (Slovak/Ukrainian/Romanian themes)
5. Threat Hunting: Search for execution artifacts like EhStoreShell.dll or registry COM hijacks

Zscaler researchers Sudeep Singh and Roy Tay emphasize: "The combination of geographic targeting, multi-layered evasion, and Covenant's adaptable framework makes this campaign particularly dangerous for high-value targets." Continuous monitoring for suspicious Office document behavior remains critical as APT28 refines their tactics.