CVE-2026-21509 Microsoft Office Vulnerability
The Russia-linked state-sponsored threat actor APT28, also tracked as UAC-0001, has been attributed to a fresh wave of cyberattacks leveraging a newly disclosed Microsoft Office vulnerability. The activity is tracked under the campaign name Operation Neusploit and marks one of the earliest instances of in-the-wild exploitation following public disclosure.
Security researchers observed the group weaponizing the flaw on January 29, 2026, just three days after Microsoft revealed the vulnerability, targeting users across Ukraine, Slovakia, and Romania.
Table of Contents
CVE-2026-21509: A Security Feature Bypass with Real-World Impact
The exploited vulnerability, CVE-2026-21509, carries a CVSS score of 7.8 and affects Microsoft Office. Classified as a security feature bypass, the flaw allows attackers to deliver a specially crafted Office document that can be triggered without proper authorization, opening the door to arbitrary code execution as part of a broader attack chain.
Region-Specific Social Engineering and Evasion Tactics
The campaign relied heavily on tailored social engineering. Lure documents were crafted in English as well as Romanian, Slovak, and Ukrainian to increase credibility among local targets. Delivery infrastructure was configured with server-side evasion measures, ensuring that malicious DLL payloads were served only when requests originated from intended geographic regions and included the expected User-Agent HTTP headers.
Dual Dropper Strategy via Malicious RTF Files
At the core of the operation is the use of malicious RTF documents to exploit CVE-2026-21509 and deploy one of two droppers, each supporting a different operational objective. One dropper delivers an email theft capability, while the other initiates a more complex, multi-stage intrusion culminating in the deployment of a full-featured command-and-control implant.
MiniDoor: Targeted Outlook Email Theft
The first dropper installs MiniDoor, a C++-based DLL designed to harvest email data from Microsoft Outlook folders, including Inbox, Junk, and Drafts. The stolen messages are exfiltrated to two hard-coded attacker-controlled email accounts:
ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me.
MiniDoor is assessed to be a lightweight derivative of NotDoor (also known as GONEPOSTAL), a tool previously documented in September 2025.
PixyNetLoader and the Covenant Implant Chain
The second dropper, known as PixyNetLoader, facilitates a significantly more advanced attack sequence. It extracts embedded components and establishes persistence through COM object hijacking. Among the extracted files are a shellcode loader named EhStoreShell.dll and a PNG image labeled SplashScreen.png.
The loader's role is to extract shellcode hidden within the image using steganography and execute it. This malicious logic activates only when the host environment is not identified as an analysis sandbox and when the DLL is launched by explorer.exe, otherwise remaining dormant to avoid detection.
The decoded shellcode ultimately loads an embedded .NET assembly: a Grunt implant associated with the open-source COVENANT command-and-control framework. APT28's prior use of Covenant Grunt was previously documented in September 2025 during Operation Phantom Net Voxel.
Tactical Continuity with Operation Phantom Net Voxel
While Operation Neusploit replaces the earlier campaign's VBA macro execution method with a DLL-based approach, the underlying techniques remain largely consistent. These include:
- COM hijacking for execution and persistence
- DLL proxying mechanisms
- XOR-based string obfuscation
- Steganographic embedding of shellcode loaders and Covenant Grunt payloads within PNG images
This continuity highlights APT28's preference for evolving proven tradecraft rather than adopting entirely new tooling.
CERT-UA Warning Confirms Broader Targeting
The campaign coincided with an advisory from the Computer Emergency Response Team of Ukraine (CERT-UA), which warned of APT28 exploiting CVE-2026-21509 via Microsoft Word documents. The activity targeted more than 60 email addresses linked to central executive authorities in Ukraine. Metadata analysis showed that at least one lure document was created on January 27, 2026, further underscoring the rapid operationalization of the vulnerability.
WebDAV-Based Delivery and Final Payload Execution
Analysis revealed that opening the malicious document in Microsoft Office triggers a WebDAV connection to an external resource. This interaction downloads a file with a shortcut-style name containing embedded program code, which then retrieves and executes an additional payload.
This process ultimately mirrors the PixyNetLoader infection chain, leading to the deployment of the COVENANT framework's Grunt implant and granting attackers persistent remote access to the compromised system.
