ON 26 January 2026, Microsoft released an update addressing CVE-2026-21509, a high-severity flaw affecting many Microsoft Office versions and exploited in the wild by state-sponsored actors to target government and diplomatic organisations in Ukraine, according to CERT-UA. The vulnerability can be triggered through specially crafted Microsoft Office documents that bypass security mitigations for OLE, with the most detailed real‑world case linked to the threat actor UAC-0001 (APT28).
Attacks rely on social engineering via phishing emails, with lure documents such as BULLETEN_H.doc or Consultation_Topics_Ukraine(Final).doc used to deliver malware, leading to a multi‑stage infection that drops files like EhStoreShell[.]dll and SplashScreen[.]png, performs COM hijacking, and creates a OneDriveHealth scheduled task to restart Explorer and load the malicious payload.
The final payload enables the COVENANT framework, using Filen cloud storage infrastructure for its command and control and administration. Affected products include Microsoft 365 Apps for Enterprise, Office LTSC 2024 and 2021, Office 2019, and Office 2016, across 32‑bit and 64‑bit architectures.