APT28 Weaponized Office Zero-Day in Three Days Flat

Russia's APT28 (Fancy Bear) took just 72 hours to turn Microsoft's January 26 disclosure of CVE-2026-21509 into a working attack campaign targeting Eastern European military and government organizations. By January 29, phishing emails carrying weaponized Office documents were hitting inboxes across Ukraine, Slovakia, and Romania.

The campaign, dubbed Operation Neusploit by Zscaler ThreatLabz, showcases how fast state-backed attackers can operationalize public vulnerability disclosures. Three days from patch to exploitation—before many organizations had even started testing the update.

The Attack Chain

APT28's phishing emails used lures themed around weapons smuggling, military training programs, and weather emergency bulletins. The attached RTF documents exploited CVE-2026-21509 immediately on opening, requiring no macros and no user interaction beyond double-clicking the file.

The exploit chain downloaded a Microsoft Shortcut (LNK) file and a DLL loader. From there, the campaign split into multiple delivery paths depending on the target:

Path one deployed MiniDoor, a C++-based DLL focused exclusively on email theft. MiniDoor modified Windows registry settings to weaken Microsoft Outlook's security controls, then quietly harvested messages from Inbox, Junk, and Drafts folders. Stolen emails were exfiltrated to attacker-controlled addresses at outlook.com and proton.me.

Path two used PixyNetLoader, a multi-stage dropper that installed COVENANT Grunt implants—an open-source command-and-control framework. The Grunt beacon contacted filen.io, a legitimate cloud storage service, to retrieve BEARDSHELL, a custom C++ backdoor with full remote access capabilities.

A third variant identified by Trellix researchers used steganography—embedding shellcode inside PNG images—to deliver payloads while evading network inspection tools.

Server-Side Targeting

APT28 didn't spray indiscriminately. The attack infrastructure employed server-side evasion, only delivering payloads to requests originating from targeted geographic regions with specific User-Agent headers. Connections from outside the target zone received benign content. This selective delivery makes it harder for security researchers and automated sandboxes to obtain samples for analysis.

Ukraine's Computer Emergency Response Team (CERT-UA) warned that the campaign targeted more than 60 email addresses belonging to central executive authorities. But the targeting extended well beyond Ukraine. Zscaler and Trellix documented victims across Poland, Slovenia, Turkey, Greece, and the UAE, with particular focus on maritime and transport organizations.

Three Days Is the New Window

The speed of exploitation here is the real story. CVE-2026-21509 carries a CVSS score of 7.8. Microsoft disclosed it on January 26, and CISA added it to the Known Exploited Vulnerabilities catalog the same day with a February 16 deadline for federal agencies. APT28 had it weaponized by January 29.

This timeline means organizations had a three-day window between disclosure and active exploitation—and that's optimistic, since Microsoft's Threat Intelligence Center had already spotted attacks before the public disclosure. For federal agencies with a 21-day remediation window, APT28 had a nearly three-week head start.

The pattern isn't new for this group. APT28 has a history of rapid vulnerability exploitation, and their tooling infrastructure appears designed for fast retooling. The multi-backdoor approach we've tracked in previous campaigns shows a group that plans for detection—if one implant gets burned, alternatives are already deployed.

What Organizations Should Do

1. Patch CVE-2026-21509 immediately if you haven't already. The update has been available since January 26.
2. Hunt for IOCs — Check for connections to filen.io from Office processes, and review Outlook registry modifications that loosen security settings
3. Block malicious email exfiltration addresses ([email protected], [email protected]) at the mail gateway
4. Monitor for RTF attachments with geopolitical themes, especially in organizations with Eastern European operations

For deeper background on Russian state cyber operations and their evolution, our recommended cybersecurity reading includes extensive coverage of GRU-affiliated groups like APT28 and Sandworm.