Russia-linked APT28 has been exploiting a critical MSHTML zero-day vulnerability to bypass security features and execute malicious code, with evidence pointing to attacks beginning in January 2026.
A critical zero-day vulnerability in Microsoft's MSHTML rendering engine has been actively exploited by the Russia-linked APT28 threat group before Microsoft released its February 2026 Patch Tuesday security updates, according to new research from Akamai.
The Vulnerability and Its Impact
The vulnerability, tracked as CVE-2026-21513, carries a CVSS score of 8.8 and represents a high-severity security feature bypass affecting the MSHTML Framework. Microsoft describes the flaw as a "protection mechanism failure" that allows unauthorized attackers to bypass security features over a network.
The vulnerability stems from insufficient validation of target URLs within the "ieframe.dll" component that handles hyperlink navigation. This weakness enables attacker-controlled input to reach code paths that invoke ShellExecuteExW, potentially allowing execution of local or remote resources outside the intended browser security context.
How the Attack Works
In a typical attack scenario, APT28 would weaponize the vulnerability by persuading victims to open malicious HTML files or shortcut (LNK) files delivered through phishing emails or malicious links. Once opened, the crafted file manipulates browser and Windows Shell handling, causing content to be executed by the operating system.
Akamai security researcher Maor Dahan detailed the attack mechanism: "This payload involves a specially crafted Windows Shortcut (LNK) that embeds an HTML file immediately after the standard LNK structure. The LNK file initiates communication with the domain wellnesscaremed[.]com, which is attributed to APT28 and has been in extensive use for the campaign's multistage payloads."
The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, making it possible for attackers to bypass Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). This leads to a downgrade of the security context and ultimately facilitates the execution of malicious code outside of the browser sandbox via ShellExecuteExW.
Evidence of Active Exploitation
Akamai identified a malicious artifact uploaded to VirusTotal on January 30, 2026, that is associated with infrastructure linked to APT28. The sample was previously flagged by the Computer Emergency Response Team of Ukraine (CERT-UA) in early February 2026 in connection with APT28's attacks exploiting another Microsoft Office security flaw (CVE-2026-21509).
While Microsoft has not officially shared details about the zero-day exploitation effort, the company acknowledged that the vulnerability had been exploited in real-world attacks. The discovery was credited to the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group (GTIG).
Broader Implications
Akamai noted that while the observed campaign leverages malicious LNK files, the vulnerable code path can be triggered through any component embedding MSHTML. "Therefore, additional delivery mechanisms beyond LNK-based phishing should be expected," the company warned.
This exploitation pattern highlights the ongoing challenges organizations face with zero-day vulnerabilities, particularly those affecting widely used components like MSHTML that are embedded in numerous Windows applications and processes.
Protection and Mitigation
Organizations should immediately apply the February 2026 Patch Tuesday updates to address CVE-2026-21513. Additionally, security teams should monitor for indicators of compromise related to the wellnesscaremed[.]com domain and other APT28-associated infrastructure.
Given the sophisticated nature of APT28's exploitation techniques, organizations may also want to implement additional defensive measures such as enhanced email filtering, user awareness training for phishing detection, and network monitoring for unusual LNK file activity or MSHTML-related processes.
The discovery underscores the persistent threat posed by state-sponsored actors like APT28, who continue to develop and deploy sophisticated exploitation techniques targeting critical software vulnerabilities before they can be patched.
Comments
Please log in or register to join the discussion