Microsoft confirmed a Windows zero-click flaw tied to an incomplete patch is being exploited, putting credentials at risk for unpatched users.
The post Microsoft Confirms Windows Flaw Is Being Exploited After Incomplete Patch appeared first on TechRepublic.
A new wave of cyber operations targeting European political leadership is once again highlighting how modern espionage increasingly relies on deception rather than technical exploits. Recent investigations by German authorities point to a large-scale phishing campaign conducted via the Signal messaging platform, with strong suspicions of Russian involvement.
According to multiple reports [1, 2, 3], the campaign targeted high-profile individuals, including German politicians, ministers, military personnel, diplomats, and journalists. German prosecutors have launched an investigation into what they believe may be a coordinated espionage effort, with early evidence suggesting a state-sponsored actor.
The attack did not rely on malware or vulnerabilities in Signal itself. Instead, it exploited human trust—arguably the weakest link in cybersecurity. Victims were approached through messages impersonating official Signal support or trusted contacts, prompting them to share authentication codes, scan malicious QR codes, or click on crafted links. Once compromised, attackers gained access to private chats, contact lists, and potentially sensitive political discussions.
One of the most notable targets was Julia Klöckner, whose account was reportedly compromised through a phishing attempt embedded in what appeared to be a legitimate group chat linked to her political party. The operation also attempted to target German Chancellor Friedrich Merz, although no compromise was confirmed in that case.
Authorities estimate that hundreds of accounts may have been affected. While Berlin has not formally attributed the campaign, intelligence sources increasingly point toward Russian involvement, consistent with a broader pattern of cyber activities aimed at European democracies.
“The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said.
“Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved.” reads the report published by the Associated Press.
“The German government has still not officially attributed the attacks to Russia.”
This incident is not isolated. Over the past decade, Western intelligence agencies have repeatedly linked Russian state-backed groups to cyber espionage and influence operations targeting political institutions. These activities are part of a broader strategy often described as “hybrid warfare,” where cyber operations, disinformation, and psychological tactics are combined to achieve geopolitical objectives without direct military confrontation.
Security experts stress that what makes this campaign particularly concerning is its simplicity and effectiveness. Instead of exploiting software flaws, attackers leveraged legitimate platform features and social engineering techniques. This approach allows them to bypass many traditional security controls and remain largely undetected.
We are witnessing a new phase of hybrid warfare, where attackers don’t need to break encryption—they just trick the user. The human factor has become the primary attack surface.”
Targeting secure messaging platforms like Signal demonstrates how threat actors adapt quickly to changing communication habits. When politicians and officials move to more secure platforms, adversaries follow them. The battlefield is no longer the infrastructure, but the user.”
Another critical aspect is the potential impact. Access to private conversations between political leaders, policymakers, and diplomats can provide strategic intelligence, enable blackmail, or support disinformation campaigns. Even limited breaches can undermine trust in secure communication tools and institutions.
German authorities, including the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), have already issued warnings about similar tactics earlier this year. They highlighted that such campaigns are likely ongoing and could expand to other platforms like WhatsApp or Telegram.
The broader implication is clear: cybersecurity is no longer just a technical issue but a geopolitical one. As digital communication becomes central to governance, diplomacy, and decision-making, it also becomes a primary target for intelligence operations.
This campaign serves as a reminder that even the most secure technologies cannot protect against deception if users are not adequately trained and aware. In today’s threat landscape, resilience depends not only on encryption and infrastructure but also on human vigilance.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – German officials, Bundestag)
Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) is running a spear-phishing campaign against Ukraine and its allies, deploying a new malware suite called PRISMEX. Active since September 2025, the campaign uses advanced stealth techniques like steganography and COM hijacking, and targets defense systems and aid infrastructure to support long-running espionage operations.
The Russian cyber espionage group remains highly aggressive, quickly weaponizing newly disclosed flaws like CVE-2026-21509 to target government, military, and critical infrastructure in Central and Eastern Europe. Its latest campaign uses the PRISMEX malware suite, combining a dropper, loader, and implant based on the Covenant framework to enable stealthy, fileless attacks and encrypted command-and-control.
The operation shows advanced preparation and links to past activity, focusing on Ukraine’s defense supply chain, including allies, transport, and aid networks. Researchers believe this marks an evolution of the NotDoor ecosystem, expanding capabilities for rapid exploitation and long-term espionage.
Attack chain starts with spear-phishing emails themed around military training, weather alerts, or weapon smuggling. Victims who open the attached RTF file trigger exploitation of CVE-2026-21509, which bypasses security controls and forces the system to connect to an attacker-controlled WebDAV server. This automatically retrieves and executes a malicious LNK file without further user interaction.
The LNK file may then exploit CVE-2026-21513 to bypass browser protections and execute code silently, downloading additional payloads. This suggests a possible two-stage attack chain designed for stealth and reliability.
“TrendAI
Research has tracked Pawn Storm’s activities across three distinct but interconnected campaigns, each building upon its previous infrastructure and tooling.” reads the report published by Trend Micro. “The timeline of this campaign indicates advanced knowledge of multiple vulnerabilities:
This pattern suggests Pawn Storm had access to vulnerability details ahead of public disclosure.”
From there, the infection can follow different paths, including deployment of the PRISMEX malware suite. PRISMEX components, such as PrismexSheet, PrismexDrop, PrismexLoader, and PrismexStager, use techniques like steganography, COM hijacking, and abuse of cloud services for command-and-control. These methods enable fileless execution, persistence, and evasion of modern security tools, allowing attackers to maintain long-term access and conduct espionage operations.
The researchers detailed decoy documents and targeting, such as a malicious Excel files showing realistic decoy content once macros are enabled, including Ukrainian drone inventories, supplier price lists, and military logistics forms.
These themes clearly target Ukrainian drone units and logistics staff. The upload data suggests victims across key regions like Kyiv and Kharkiv, indicating a focus on both frontline and command structures.
PrismexDrop is a native dropper that prepares the system by decrypting payloads, dropping files, and ensuring persistence via COM hijacking and a scheduled task that restarts explorer.exe. This allows the malware to run within a trusted process, improving stealth and reliability.
PrismexLoader is a loader that acts as a proxy DLL, executing malicious code while mimicking legitimate system behavior. It uses a custom “Bit Plane Round Robin” steganography method to extract hidden payloads from images, spreading data across the file to evade detection. The payload is then executed entirely in memory using .NET runtime loading, leaving minimal traces on disk.
The final component, PrismexStager, connects to command-and-control servers via Filen.io cloud services. This helps attackers blend malicious traffic with normal encrypted communications, making detection harder while enabling data exfiltration and remote control.
“The payload extracted from the image is the Covenant Grunt Stager, which we have internally tracked as PrismexStager. This is a .NET assembly responsible for C&C and executing further tasks from the Covenant framework. It is heavily obfuscated with randomized function names to hinder static analysis. ” states the report. “The malware abuses the legitimate end-to-end encrypted cloud storage service Filen.io for C&C communications. By leveraging this trusted service, the malicious traffic blends in with normal encrypted web traffic, effectively bypassing reputation-based filtering and firewall rules.”
The campaign shows a clear strategy: disrupt Ukraine’s supply chain and operational planning, while extending access to NATO-linked logistics. Targets include the Ukrainian government, defense, emergency services, and hydrometeorology, critical for drone and artillery operations, as well as hubs in Poland, Romania, Slovakia, and others supporting military aid flows.
TrendAI attributes the activity to the APT28 group with high confidence, based on consistent tools, infrastructure, and behavior. Unique elements like the custom steganography method, MiniDoor/NotDoor malware lineage, use of Covenant, and COM hijacking reinforce this link, along with reused infrastructure and rapid exploitation of vulnerabilities.
The operation reflects a shift toward tactical disruption rather than pure espionage. By targeting weather data, transport networks, and aid organizations, attackers aim to map and potentially sabotage support to Ukraine. The presence of destructive capabilities alongside espionage tools highlights the dual-use nature of the campaign, enabling both intelligence gathering and potential disruptive attacks aligned with military objectives.
“The technical links between the PRISMEX components and previous campaigns demonstrate the threat actor’s continuous development cycle and modular approach to capability building. Organizations in the targeted geographic and industry sectors should consider themselves at elevated risk and implement the countermeasures detailed above immediately. ” concludes the report. “The use of newly disclosed vulnerabilities and legitimate cloud services makes detection challenging. Defenders must adopt an “assume breach” mentality and focus on behavioral anomalies rather than just static indicators. ”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28)
British security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office (SOHO) routers in a broad cyber espionage campaign. A Microsoft blog goes into the technical details of these attacks.
The group, which we’ll refer to as APT28, but is also known under names like Fancy Bear, BlueDelta, and Forest Blizzard, changes the DNS settings of compromised routers so their traffic is sent through servers under their control, which enables APT28 to spy on users.
The domain name system (DNS) is the way that internet domain names are located and translated into Internet Protocol (IP) addresses. Devices usually get network settings from routers using Dynamic Host Configuration Protocol (DHCP).
If an attacker can tamper with the router’s DNS settings, they can silently steer traffic through infrastructure they control, harvest login details, and in some cases position themselves between the user and the real service. This is why the campaign can support credential theft and even targeted interception of Microsoft 365 and other cloud traffic.
An FBI public service announcement says that APT28:
“…has harvested passwords, authentication tokens, and sensitive information including emails and web browsing information normally protected by secure socket layer (SSL) and transport layer security (TLS) encryption.”
The FBI says the group cast a wide net over US and globally, before narrowing down their victims to those with access to information related to military, government, and critical infrastructure.
The NCSC advisory singles out a single model of TP-Link (WR841N) with a known vulnerability that enables an unauthenticated attacker to obtain information such as usernames and passwords via specially crafted HTTP GET requests. This router model is widely sold to consumers and small businesses and not typically used as standard equipment by major internet service providers. The article also includes a long but not exhaustive list of other TP-Link router models targeted by APT28.
Microsoft Threat Intelligence says it has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure.
A few weeks ago, we commented on the FCC’s decision to effectively stop foreign-made routers from being imported unless their manufacturers obtain an exemption, due to what the FCC called an “unacceptable risk to the national security of the United States or the safety and security of United States persons.”
APT28’s actions show the kind of risk the FCC is trying to stop, but they also reinforce our point: while the debate over router bans and supply-chain restrictions often focuses on national origin, the bigger issue is whether the devices are secure in practice. If a router ships with weak defaults, poor update support, or a confusing setup process, it becomes a target regardless of where it was made. Attackers do not need perfection. They only need enough exposed devices to build a large, quiet infrastructure for spying and redirection.
To check whether your settings are OK, we can only give general directions since they are sometimes very device-specific. But this method usually works:
If you can afford it and haven’t already, upgrade to Wi-Fi 7 to help future-proof your setup while current models are still in stores.
You should at least:
For technically confident users, replacing vendor firmware with open-source alternatives like OpenWrt or DD-WRT can extend a router’s secure lifespan. But this comes with risks, including voiding warranties or potentially bricking your device. You should only do this, or have it done, if you’re comfortable troubleshooting.
If a US citizen suspects they have been targeted or compromised by a Russian cyberintrusion, they are asked to report the activity to their local FBI field office or file a complaint with the IC3. Be sure to provide details about the affected router, including device type and DHCP configurations.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
The Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has used BEARDSHELL and COVENANT malware to conduct long-term surveillance of Ukrainian military personnel. According to ESET, the campaign began in April 2024 and relies on custom implants designed to maintain persistent access and collect sensitive information from targeted systems.
“Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience.” reads the report published by ESET. “This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants.”
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
BEARDSHELL and SLIMAGENT are two advanced malware tools written in C++. BEARDSHELL downloads, decrypts (using ChaCha20-Poly1305), and runs PowerShell scripts, sending results via the Icedrive API. It creates a unique folder on each infected machine based on system identifiers. SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames. Both tools are stealthy, use strong encryption, and exploit legitimate cloud services to avoid detection, highlighting modern APT tactics.
“SlimAgent includes several features that were absent from the 2018 samples, such as encryption of the collected logs. Nevertheless, it is remarkable that samples deployed six years apart exhibit such strong code similarities.” continues the report. “We therefore assess with high confidence that both the 2018 samples and the 2024 SlimAgent sample were built from the same codebase.”
Analysis shows that SLIMAGENT likely evolved from the XAgent keylogger long used by APT28. Researchers found strong code similarities, including identical keylogging logic and HTML-based logging with the same color scheme for captured data. Evidence suggests SLIMAGENT has been deployed as a standalone espionage tool since at least 2018. Despite XAgent’s well-known codebase, the group continues reusing and adapting it, alongside newer malware like BEARDSHELL, in recent espionage campaigns.
During forensic analysis, the researchers discovered malware linked to the COVENANT framework and the BEARDSHELL backdoor. The experts were not able to determine the initial infection vector.
ESET noted that BEARDSHELL uses a rare obfuscation method called opaque predicate, previously seen in XTunnel, a tool used by APT28 during the Democratic National Committee hack. This link strongly suggests BEARDSHELL belongs to the group’s toolkit. Another tool, COVENANT, has been heavily modified to support long-term espionage and uses cloud services like Filen for command-and-control communications.
The cybersecurity firm reports that developers behind APT28 have developed strong expertise in the Covenant framework, despite its official development ending in 2021. The group has successfully adapted and reused the tool for several years, particularly in espionage operations targeting Ukrainian organizations.
“we have shown that Sednit’s advanced development team is active once again, operating an arsenal centered on two implants – BeardShell and Covenant – deployed in tandem and each leveraging a different cloud provider.” concludes the report. “The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain fully capable of producing advanced custom implants. Furthermore, the shared code and techniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development team.”
Recently, ClearSky researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
Researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.
“The attack chain initiates with a phishing email containing a link to a ZIP archive. Once
extracted, an initial HTA file displays a lure document written in Ukrainian concerning border
crossing appeals to deceive the victim.” reads the report published by ClearSky. “Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor.”
Researchers found that both malware strains use the .NET Reactor packer to make the analysis and reverse engineering harder, showing the attackers’ intent to evade detection and maintain long-term persistence.
“An additional layer of defense employed by BadPaw is the use of .NET Reactor, a commercial protection and obfuscation tool for .NET assemblies. This packer obfuscates the underlying code to hinder static analysis and reverse engineering.” continues the report.
The malware also includes multiple defense mechanisms. Its components stay inactive unless launched with specific parameters, otherwise displaying a benign interface and executing harmless code.
The MeowMeow backdoor adds environmental checks, scanning systems for virtual machines and analysis tools such as Wireshark, ProcMon, and Fiddler. If it detects a sandbox or research environment, it immediately stops execution to avoid investigation.
Researchers at ClearSky attribute the campaign with high confidence to a Russia-linked cyberespionage group and with lower confidence to the threat actor APT28. Their assessment relies on three factors: the targeting of Ukrainian entities, Russian-language artifacts in the code, and tactics consistent with previous Russian cyber operations, including multi-stage infection chains and .NET-based loaders.
In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow.
The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28, based on the targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations.
ClearSky’s research details outline a multi-stage infection chain beginning with a phishing email sent via the Ukrainian provider ukr[.]net, a service previously abused in Russian campaigns. The email contains a link that first loads a tracking pixel to notify attackers when a victim clicks, then redirects to a shortened URL that downloads a ZIP archive.
Inside the archive is a disguised HTA file posing as an HTML document. When executed, it opens a decoy document about a Ukrainian border-crossing appeal while silently launching the malicious routine. The HTA performs anti-analysis checks by verifying the system’s installation date and aborting execution on recently installed systems, a common sandbox-evasion tactic.
“The dropped decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing. This lure is intended to maintain the veneer of legitimacy while the HTA file executes its secondary stages in the background.” continues the report. “To evade detection and identify potential sandbox environments, the HTA file performs an environmental check by inspecting the following Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate By querying this value, the malware calculates the “age” of the operating system. If the system was installed less than ten days prior to execution, the malware terminates. This is a common anti-analysis technique used to avoid execution on freshly provisioned virtual machines or automated analysis sandboxes”
If conditions are met, it searches for the original archive, extracts additional components, and establishes persistence through a scheduled task. A VBS script then retrieves hidden payload data embedded within an image using steganography, extracting a PE file that researchers identified as the BadPaw loader, which ultimately deploys the MeowMeow backdoor and establishes command-and-control communication.
Researchers found Russian-language strings in the malware code, including one indicating the time needed to reach an operational state. These artifacts suggest a Russian origin and may reflect an OPSEC mistake or leftover development elements not adapted for Ukrainian targets.
“The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MeowMeow malware)
Akamai reports that Russia-linked APT28 may have exploited CVE-2026-21513 CVSS score of 8.8), a high-severity MSHTML vulnerability (CVSS 8.8), before Microsoft patched it in February 2026.
The vulnerability is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file. The flaw could be triggered by opening a malicious HTML or LNK file, allowing attackers to bypass protections and potentially execute code. While Microsoft shared few details
Microsoft confirmed CVE-2026-21513 was exploited in real-world zero-day attacks and credited MSTIC, MSRC, the Office Security Team, and Google’s GTIG for reporting it. Akamai found a malicious sample uploaded to VirusTotal on January 2026 tied to infrastructure linked to APT28.
Akamai researchers used PatchDiff-AI to analyze the root cause of the issue and traced CVE-2026-21513 to hyperlink navigation logic in ieframe.dll. They found that poor URL validation lets attacker input reach ShellExecuteExW, enabling code execution outside the browser sandbox. Researchers reproduced the flaw using MSHTML components and identified an exploit sample, document.doc.LnK.download, uploaded in January 2026 and linked to APT28 infrastructure.
“By correlating the vulnerable code path with public threat intelligence, we identified a sample that was leveraging this functionality: document.doc.LnK.download.” reads the report published by Akamai. “The sample was first submitted to VirusTotal on January 30, 2026, shortly before February’s Patch Tuesday, and is associated with infrastructure linked to APT28, an active Russian state-sponsored threat actor.”
The payload uses a specially crafted Windows Shortcut (.lnk) that embeds an HTML file directly after the standard LNK structure. When executed, it connects to wellnesscaremed[.]com, a domain attributed to APT28 and widely used in the campaign’s multistage activity. The exploit relies on nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). By downgrading the security context, it triggers the vulnerable navigation flow, allowing attacker-controlled content to invoke ShellExecuteExW and execute code outside the browser sandbox.
“While the observed campaign leverages malicious .LNK files, the vulnerable code path can be triggered through any component embedding MSHTML. Therefore, additional delivery mechanisms beyond LNK-based phishing should be expected.” concludes the report.
Microsoft addressed the issue by tightening hyperlink protocol validation to prevent file://, http://, and https:// links from reaching ShellExecuteExW.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28, CVE-2026-21513)
Russia-linked APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) launched Operation MacroMaze, targeting select entities in Western and Central Europe from September 2025 to January 2026. The campaign used webhook-based macro malware, leveraging simple tools and legitimate services for infrastructure and data exfiltration.
The attack chain campaign begins with spear-phishing emails delivering weaponized documents that contain an “INCLUDEPICTURE” field pointing to a webhook[.]site URL hosting a JPG.
“All analyzed documents share a common structural element within their XML: an INCLUDEPICTURE field referencing a remote URL hosted on webhook[.]site.” reads the report published by S2 Grupo’s LAB52 threat intelligence team. “This field is embedded in the document’s XML (w:instrText) and instructs Microsoft Word to retrieve an external image resource when the field is evaluated. The referenced file (docopened.jpg) is fetched from the remote server when the document is opened and fields are updated. This behavior functions as a tracking mechanism: when the document is opened and Word processes the INCLUDEPICTURE field, an outbound HTTP request is generated to the remote server. The server operator can then log metadata associated with the request, effectively confirming that the document has been opened.”
When opened, the file silently retrieves the image, acting like a tracking pixel that alerts attackers the document was viewed. Variants seen between September 2025 and January 2026 use modified macros to drop malware and deploy additional payloads on compromised systems.
Researchers identified four closely related macro variants acting as droppers. Each drops six files (VBS, BAT, CMD, HTM, XHTML) into the %USERPROFILE% folder using GUID-like names tied to a webhook[.]site C2 path. The attackers used heavy string concatenation to hide key commands. The macro launches a VBScript that triggers multi-stage execution, creates a Scheduled Task for persistence, then deletes traces. Over time, the variants evolved from simple document cleanup to fake Word error messages and SendKeys-based UI manipulation to bypass security prompts. Two batch versions follow: one uses Edge in headless mode for stealth, the other hides the browser off-screen and forcefully kills processes for reliability, suppressing certificate errors.
“The final HTML file is constructed by concatenating a static HTM file, the captured output of the reconstructed CMD payload, and a closing XHTML template. The initial HTM file defines an auto-submitting form that sends a POST request to a webhook[.]site endpoint, while the payload output is embedded directly within a element. The closing XHTML fragment completes the document structure.” continues the report. “When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction.”
The Operation MacroMaze campaign uses a browser-based exfiltration method that relies on standard HTML features to send stolen data while leaving minimal traces on disk. Although the specific command file used to gather system data was not recovered, similar operations previously attributed to APT28 by CERT Polska and the Computer Emergency Response Team of Ukraine suggest this stage likely deploys a lightweight reconnaissance script, collecting basic host details such as IP address, directory listings, and system environment information before exfiltration.
“This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth.” concludes the report. “The tooling may be unsophisticated, but the operational tradeoffs are effective. It’s low-tech executed with high craft, which makes detection and attribution harder than the artifacts alone would suggest.”
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
In January 2026, Zscaler ThreatLabz uncovered the campaign Operation Neusploit targeting Central and Eastern Europe. Threat actors targeted the vulnerability CVE-2026-21509, they used weaponized RTF files and localized lures to deploy MiniDoor, PixyNetLoader, and Covenant Grunt implants.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28)
Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) is behind Operation Neusploit, a campaign that exploits a newly disclosed Microsoft Office vulnerability.
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
In January 2026, Zscaler ThreatLabz uncovered the campaign Operation Neusploit targeting Central and Eastern Europe. Threat actors targeted the vulnerability CVE-2026-21509, they used weaponized RTF files and localized lures to deploy MiniDoor, PixyNetLoader, and Covenant Grunt implants.
On January 26, Microsoft released out-of-band security updates to address an actively exploited Office zero-day vulnerability tracked as CVE-2026-21509. Zscaler reported in-the-wild exploitation on January 29, 2026.
The issue is a security feature bypass vulnerability that affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise.
“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.” reads the advisory that confirms that the issue is actively exploited in the wild. “An attacker must send a user a malicious Office file and convince them to open it.”
The update addresses a flaw that bypasses OLE security protections in Microsoft 365 and Office, exposing users to vulnerable COM/OLE controls.
Microsoft confirmed that the Office Preview Pane is not affected and cannot be used as an attack vector. However, the tech giant did not disclose technical details about the attacks exploiting this vulnerability.
“In January 2026, ThreatLabz identified APT28 weaponizing CVE-2026-21509 to target users in Central and Eastern Europe, including Ukraine, Slovakia, and Romania.” reads the report published by Zscaler. “Social engineering lures were crafted in both English and localized languages, (Romanian, Slovak and Ukrainian) to target the users in the respective countries.”
The researchers detailed two attack chains in Operation Neusploit, both starting with a weaponized RTF exploiting CVE‑2026‑21509. One path drops MiniDoor, a malicious Outlook VBA project that lowers macro security and quietly forwards victims’ emails to attacker-controlled addresses.
“MiniDoor’s primary goal is to steal the user’s emails and forward them to the threat actor.” reads the report.
The second, more complex chain deploys PixyNetLoader, which sets persistence via COM hijacking and scheduled tasks, then loads a fake EhStorShell.dll.
“Similar to the first dropper variant, after successful exploitation of CVE-2026-21509, the attack chain downloads a tool that ThreatLabz named PixyNetLoader, which drops malicious components on the endpoint and sets up the Windows environment to start the infection chain.” states the report.
This DLL extracts hidden shellcode from a PNG using steganography, evades sandboxes, and runs a .NET Covenant Grunt implant in memory, abusing legitimate APIs for command-and-control.
ThreatLabz links the campaign to Russia‑aligned APT28 with high confidence. The targets match APT28’s past focus on Central and Eastern Europe, using Romanian, Ukrainian, and English lures. The tools include MiniDoor, a simplified NotDoor variant tied to APT28, while the infrastructure reuses Filen API C2 seen in earlier APT28 operations. The PixyNetLoader chain also mirrors prior campaigns, combining COM hijacking, DLL proxying, XOR‑encrypted strings, and PNG‑embedded Covenant Grunt shellcode.
“This campaign by the Russia-linked group APT28 targeted countries in Central Europe and Eastern Europe with specially crafted RTF files that exploit CVE-2026-21509, resulting in the deployment of MiniDoor and PixyNetLoader.” concludes the report. “ThreatLabz research highlights that APT28 continues to evolve its TTPs by weaponizing the latest vulnerabilities in popular and widely used applications such as Microsoft Office.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28)
Right after Microsoft disclosed an actively exploited Office zero-day (CVE-2026-21509) on January 26, 2026, CERT-UA reported UAC-0001 (APT28) leveraging the vulnerability in the wild. The russia-backed threat actor targeted organizations in Ukraine and the EU with malicious Office documents, and metadata shows one sample was created on January 27 at 07:43 UTC, illustrating the rapid weaponization of CVE-2026-21509.
APT28 (UAC-0001) has a long record of conducting cyber operations aligned with russian state interests, with a persistent focus on Ukraine and its allied partners. Ukraine frequently serves as an initial testing environment for newly developed tactics, techniques, and procedures that are later scaled to broader international targets.
The latest UAC-0001 campaign in the limelight follows the same pattern. According to CERT-UA#19542, UAC-0001 targeted Ukrainian state bodies with malicious Office documents exploiting CVE-2026-21509 to deploy the COVENANT framework. The same attack pattern was later observed against EU organizations, demonstrating rapid operational expansion beyond Ukraine.
Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0001 (APT28) attacks exploiting CVE-2026-21509. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.
Security experts can also use the “CERT-UA#19542” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes. For more rules to detect attacks related to the UAC-0001 adversary activity, security teams can search the Threat Detection Marketplace library leveraging the “UAC-0001” or “APT28” tags based on the group identifier, as well as the relevant “CVE-2026-21509” tag addressing the Microsoft Office zero-day exploitation.
Additionally, users can refer to a dedicated Active Threats item on the UAC-0001 (APT28) latest attacks to access the AI summary, related detection rules, simulations, and the attack flow in one place.
Security teams can also rely on Uncoder AI to create detections from raw threat reports, document and optimize code, and generate Attack Flows. Additionally, cyber defenders can easily convert IOCs from the latest CERT-UA#19542 alert into performance-optimized queries compatible with your security stack.
In late January 2026, CERT-UA observed a series of targeted cyber attacks attributed to UAC-0001 (APT28) that leveraged an actively exploited Microsoft Office vulnerability tracked as CVE-2026-21509. The malicious activity emerged shortly after Microsoft publicly disclosed the flaw and was initially directed at Ukrainian government entities before expanding to organizations across the European Union.
To establish initial access, attackers distributed specially crafted Microsoft Word documents exploiting CVE-2026-21509. One document, titled “Consultation_Topics_Ukraine(Final).doc,” referenced COREPER, the Committee of Permanent Representatives of the EU, which prepares decisions and coordinates policy among EU member states. Although the file became publicly accessible on January 29, metadata analysis showed it had been created on January 27 (one day after Microsoft’s advisory), indicating rapid weaponization of the vulnerability.
In parallel, CERT-UA received reports of phishing emails impersonating official correspondence from the Ukrainian Hydrometeorological Center. These messages, sent to more than 60 recipients primarily within central executive authorities of Ukraine, contained malicious DOC attachments. When opened in Microsoft Office, the documents established a network connection to an external resource over WebDAV and downloaded a shortcut file containing code designed to retrieve and launch an executable file.
Successful execution of the downloaded payload results in the creation of a malicious DLL file, EhStoreShell.dll, masquerading as the legitimate Enhanced Storage Shell Extension library, and an image file (SplashScreen.png) containing shellcode. The attack also modifies the Windows registry path for CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}, implementing COM hijacking, and creates a scheduled task named OneDriveHealth.
Scheduled execution of the task causes the explorer.exe process to terminate and restart, which (due to the COM hijacking) ensures the loading of EhStoreShell.dll. The DLL executes shellcode from the image file, ultimately resulting in the launch of the COVENANT framework. Command-and-control communications for COVENANT relied on legitimate cloud storage infrastructure provided by Filen (filen.io).
Toward the end of January 2026, CERT-UA identified additional documents using the same exploit chain and delivery mechanisms in attacks against EU-based organizations. Technical overlaps in document structure, embedded URLs, and supporting infrastructure suggest these incidents were part of a coordinated UAC-0001 (APT28) campaign, demonstrating the rapid scaling of the operation beyond its initial Ukrainian targets.
Given the active exploitation of a Microsoft Office zero-day and the challenges many organizations face in promptly applying patches or mitigations, further abuse of CVE-2026-21509 is expected in the near term.
To reduce the attack surface, organizations should implement the mitigation measures outlined in Microsoft’s advisory, including recommended Windows registry configurations. In addition, as UAC-0001 (APT28) leverages legitimate Filen cloud infrastructure for COVENANT command-and-control operations, network interactions with Filen-related domains and IP addresses should be restricted or placed under enhanced monitoring.
Additionally, security experts can rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of APT28 attacks while maintaining operational effectiveness.
Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0001 (APT28) attacks leveraging CVE-2026-21509 exploit to target Ukrainian and EU entities. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques. Tactics Techniques Sigma Rule Persistence Scheduled Task/Job: Scheduled Task (T1053.005) Event Triggered Execution: Component Object Model Hijacking (T1546.015) Defense Evasion Masquerading: Match Legitimate Resource Name or Location (T1036.005) Command and Control Application Layer Protocol: Web Protocols (T1071.001) Ingress Tool Transfer (T1105) Impact Service Stop (T1489)
The post UAC-0001 (APT28) Attack Detection: russia-Backed Actor Actively Exploits CVE-2026-21509 Targeting Ukraine and the EU appeared first on SOC Prime.
Entrar