Russia-linked APT28 exploiting new Microsoft Office zero-day against Ukraine and EU targets

Russia-linked APT28 attackers are already exploiting Microsoft's latest Office zero-day, with Ukraine's national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU.

In an alert published on Sunday, CERT-UA says the activity is being driven by UAC-0001, better known as "APT28" or "Fancy Bear", and hinges on CVE-2026-21509, a security feature bypass bug in Microsoft Office that Microsoft disclosed last week alongside a warning that attackers were already exploiting it in the wild.

According to CERT-UA, the first weaponized document surfaced just days after Microsoft sounded the alarm about the flaw. A file titled "Consultation_Topics_Ukraine(Final).doc" appeared publicly on January 29 and was themed around EU discussions on Ukraine. File metadata shows it was created on January 27 — the day after Microsoft published details of the flaw — a turnaround time that suggests the exploit chain was already prepared and waiting.

That same day, Ukrainian incident responders were alerted to a parallel phishing campaign impersonating official correspondence from the Ukrhydrometeorological Center. More than 60 recipients, mostly across central government bodies, received emails carrying a malicious DOC attachment. Opening the file in Office quietly initiates a WebDAV connection to an external server, downloads a shortcut file, and uses it as a launchpad for further malware.

From there, the attackers drop a DLL masquerading as a legitimate Windows component and stash shellcode inside what appears to be a harmless image file. They then establish persistence via COM hijacking and a scheduled task that restarts explorer.exe, ensuring the malicious code is reloaded. Most users would notice little out of the ordinary, but the attackers now have a foothold they can return to.

The end result is the deployment of the COVENANT post-exploitation framework, and the attackers route their traffic through a legitimate cloud storage service, which helps it blend in as everyday noise rather than something obviously hostile. CERT-UA has advised defenders to monitor Filen-related traffic closely or block it outright where possible.

The campaign has not been confined to Ukraine. In the final days of January, CERT-UA identified three more malicious documents using the same exploit chain and targeting organizations in EU member states. In one case, the domain serving the payload was registered on the very day it was used, underlining how fast the attackers are cycling through infrastructure.

Microsoft now has patches out, including for older Office builds that initially sat in limbo, but CERT-UA is still not optimistic about how quickly they'll land. "It is obvious that in the near future, including due to the inertia of the process or impossibility of users updating the Microsoft Office suite and/or using recommended protection mechanisms, the number of cyberattacks using the described vulnerability will begin to increase," CERT-UA warned.

Technical Analysis

The attack chain demonstrates sophisticated tradecraft:

• Weaponization speed: From Microsoft's disclosure to weaponized documents in under 48 hours
• Multi-stage delivery: DOC → WebDAV → shortcut → DLL → shellcode
• Persistence mechanisms: COM hijacking and scheduled task for explorer.exe restart
• Command & Control: Legitimate cloud storage service for traffic obfuscation
• Post-exploitation: COVENANT framework deployment

Mitigation Recommendations

Organizations should:

1. Apply Microsoft's patches immediately, including for older Office versions
2. Block or monitor Filen-related traffic as advised by CERT-UA
3. Implement email filtering for suspicious DOC attachments
4. Enable Office Protected View for all documents from untrusted sources
5. Monitor for unusual WebDAV connections and COM object modifications
6. Consider temporarily blocking Office macros if not business-critical

The rapid weaponization timeline — from Microsoft's disclosure on January 26 to weaponized documents on January 27-29 — highlights the critical importance of immediate patch deployment for high-severity vulnerabilities, especially when active exploitation is already confirmed.

This campaign represents a significant escalation in APT28's targeting of Ukrainian and EU government infrastructure, leveraging zero-day vulnerabilities with unprecedented speed to compromise sensitive government systems.