APT28 Linked to MSHTML Zero-Day Exploited Before Patch

Russia's APT28—also known as Fancy Bear or Forest Blizzard—exploited the CVE-2026-21513 MSHTML vulnerability as a zero-day before Microsoft patched it in February, according to new research from Akamai. The attribution adds another confirmed zero-day to APT28's arsenal and highlights how quickly state-sponsored actors weaponize flaws in Microsoft's legacy components.

The vulnerability, rated CVSS 8.8, allows attackers to bypass security features and execute code outside the browser sandbox. APT28 delivered the exploit through malicious Windows Shortcut files that embed HTML payloads—a technique that sidesteps most email security controls.

How the Exploit Works

CVE-2026-21513 stems from insufficient URL validation in the logic that handles hyperlink navigation within ieframe.dll. When processing certain URLs, attacker-controlled input reaches code paths that invoke ShellExecuteExW, enabling code execution outside the browser sandbox.

The exploit chain is clever. APT28 used nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing both Mark of the Web (MotW) protections and Internet Explorer Enhanced Security Configuration. These are the safeguards designed to prevent web content from escaping the browser—and APT28 found a way through.

The payload arrives as a specially crafted LNK file that embeds an HTML file directly after the standard shortcut structure. When opened, the LNK initiates communication with attacker infrastructure and triggers the MSHTML vulnerability to execute additional payloads.

Attribution Evidence

Researchers tied the campaign to APT28 through infrastructure analysis. The LNK files communicate with wellnesscaremed[.]com, a domain previously attributed to APT28 operations and used extensively for the campaign's multistage payloads.

The first sample appeared on VirusTotal on January 30, 2026—eleven days before Microsoft released the February patch. This confirms APT28 had working exploits while the vulnerability remained unpatched, giving them a window to operate without defenders having any recourse beyond generic endpoint protection.

APT28's continued focus on MSHTML isn't surprising. The legacy rendering engine persists across Windows systems even though Internet Explorer is officially deprecated. Components like Outlook, Office applications, and various Windows utilities still invoke MSHTML for rendering HTML content. It's deprecated but not dead. The phishing techniques involved also mirror patterns seen in Germany's recent Signal phishing warnings targeting government officials.

Context: APT28's Recent Activity

This isn't APT28's first Microsoft zero-day this year. We covered their exploitation of CVE-2026-21509 in January, another Office vulnerability they weaponized within 72 hours of the OLE bypass being patched. That campaign targeted diplomatic and military organizations in Eastern Europe.

The group has maintained aggressive operational tempo throughout early 2026. Their credential harvesting campaigns targeting the Balkans and Middle East continued parallel to these zero-day operations. APT28 runs multiple concurrent campaigns with distinct objectives—some focused on access, others on intelligence collection.

Microsoft acknowledged CVE-2026-21513 as under active exploitation when they patched it in the February Patch Tuesday update, but attribution wasn't public at the time. That release fixed six actively exploited zero-days, suggesting multiple threat actors were operating against Microsoft products simultaneously.

Defense Recommendations

Organizations should verify the February patches are deployed. If you're still running January-level patches, you remain vulnerable to this exploit chain.

Beyond patching, consider these mitigations:

1. Block LNK files at the email gateway - Most organizations have no legitimate need to receive shortcut files via email
2. Enable Attack Surface Reduction rules - Microsoft Defender's ASR rules can block Office applications from creating child processes
3. Monitor for MSHTML process spawning - Legitimate MSHTML usage rarely needs to execute external processes
4. Review logs for the IOC domain - Check for any historical connections to wellnesscaremed[.]com

The LNK-plus-HTML technique evades many security controls because the malicious HTML isn't a standalone file—it's embedded within the shortcut. Security products that scan for malicious HTML attachments may miss it entirely.

Why MSHTML Remains Dangerous

Microsoft can't simply remove MSHTML. Too many Windows components depend on it for HTML rendering, and backwards compatibility requirements mean it will persist for years. Every MSHTML vulnerability is an attack surface that exists on virtually every Windows system.

The broader pattern is troubling. APT28 and other sophisticated actors consistently find new ways to abuse MSHTML, despite Microsoft's ongoing hardening efforts. The February patch tightened hyperlink protocol validation to prevent the specific technique used here—but that's a specific fix for a specific bypass. The underlying attack surface remains.

For defenders, MSHTML vulnerabilities mean treating LNK, URL, and HTML files with extra suspicion. These file types have legitimate uses but also serve as reliable delivery mechanisms for state-sponsored exploits. Organizations with mature security programs should consider blocking or quarantining these file types at the perimeter rather than relying solely on endpoint detection.