APT28 Targets European Maritime Sector via Office Flaw

European shipping and transport companies are among the hardest-hit victims in APT28's latest campaign, which weaponized a Microsoft Office vulnerability barely 48 hours after Microsoft disclosed it. Trellix published updated findings on February 4 revealing that transportation and logistics operators accounted for roughly 35% of observed targets—second only to defense ministries at 40%.

The campaign, tracked as Operation Neusploit, exploits CVE-2026-21509 (CVSS 7.8), a security feature bypass in Microsoft Office that lets attackers trigger malicious code through crafted documents without macros or additional user interaction. We covered the initial wave of attacks targeting Eastern European governments last week—but the maritime dimension adds a concerning wrinkle that warrants separate attention.

Why Maritime?

Shipping lanes and port logistics are strategic intelligence targets for Russia, particularly since Western nations tightened sanctions enforcement after the 2022 invasion of Ukraine. Knowing which vessels carry what cargo, when they depart, and which ports they use gives Russia visibility into sanctions compliance, military resupply routes, and energy shipments.

The Trellix report identified at least 29 distinct phishing emails across nine countries: Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, Slovakia, and Bolivia. Maritime and logistics firms received lures themed as weapons-smuggling alerts and shipping regulatory notices—content designed to look routine for organizations that regularly handle cross-border freight documentation.

Diplomatic entities rounded out the remaining 25% of targets. The geographic spread tracks closely with Black Sea shipping routes, Aegean transit corridors, and Eastern Mediterranean logistics hubs.

The Infection Chain

APT28 sent weaponized RTF files that exploit CVE-2026-21509 on open. No macros, no "enable content" prompt—the exploit fires automatically when the document loads. Microsoft had patched the flaw on January 26 through an emergency out-of-band update, but APT28 reverse-engineered the fix and had working exploits in the wild by January 29.

Once inside, the attack branched depending on the target:

Email harvesting path — MiniDoor, a C++ DLL, modified Outlook registry settings to weaken security controls and silently forwarded messages from Inbox, Junk, and Drafts to attacker-controlled addresses at outlook.com and proton.me. For maritime targets, email access alone can yield shipping manifests, port schedules, and contract details that would otherwise require dedicated espionage operations.

Full remote access path — PixyNetLoader used COM object hijacking for persistence and delivered shellcode hidden inside PNG images via steganography. The final payload was either a COVENANT Grunt implant or BEARDSHELL, a custom C++ backdoor. Both communicated through filen.io, a legitimate cloud storage platform, making traffic blend with normal business activity.

APT28's infrastructure used server-side geographic filtering and User-Agent validation. Requests from outside targeted regions got benign files. This selective delivery frustrates automated analysis by security vendors and sandbox systems that aren't positioned in the right geography.

Shrinking Patch Windows

"The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems," Trellix researchers noted.

The timeline is stark. Microsoft disclosed the bug on January 26. APT28 had lure documents compiled by January 27. Active exploitation hit on January 29. CISA added CVE-2026-21509 to the KEV catalog with a February 16 remediation deadline for federal agencies—giving APT28 nearly three weeks of runway against organizations patching on that schedule.

This isn't APT28's first rapid-fire exploit turnaround. The group has a documented pattern of operationalizing Office vulnerabilities within days, often before security teams have finished testing patches in staging environments. Broken phishing URLs that bypass filters compound the problem—even organizations with strong email security can miss crafted delivery mechanisms.

What Maritime Organizations Should Do

The maritime sector has historically underinvested in cybersecurity relative to its strategic importance. Port operators, shipping companies, and logistics coordinators handling European cargo should treat this as an active and targeted threat.

1. Patch CVE-2026-21509 now. The update has been available since January 26. Office 2021+ and Microsoft 365 users need to restart applications to activate the automatic fix. Office 2016 and 2019 require manual patching.
2. Hunt for MiniDoor indicators. Look for Outlook registry modifications that loosen security settings and unexpected email forwarding rules sending to external addresses.
3. Monitor for filen.io traffic originating from Office processes or unusual system binaries—legitimate use of this service in enterprise environments is rare.
4. Review RTF handling policies. Consider blocking RTF attachments at the email gateway, or at minimum quarantining them for inspection.
5. Brief staff on current lures. Phishing themes include weapons-smuggling alerts, NATO/EU diplomatic invitations, military training notices, and weather emergency bulletins.

For deeper background on Russia's GRU-affiliated hacking operations and their evolution over the past decade, our recommended cybersecurity reading list covers groups like APT28 and Sandworm extensively. For the latest on nation-state cyber threats and APT campaigns, we maintain ongoing coverage.