RUSSIAN hackers have weaponised a recently disclosed Microsoft Office flaw, with APT28 beginning exploitation three days after a patch was released, on 29 January 2026, in a campaign tracked as Operation Neusploit. The attacks use specially crafted Microsoft Rich Text Format documents to trigger CVE-2026-21509 and deliver a multistage infection chain, aimed at stealing emails and deploying payloads in Central and Eastern Europe, per Zscaler researchers.
MiniDoor and PixyNetLoader are two dropper DLLs used by APT28; MiniDoor is described as a VBA project designed to exfiltrate victims’ emails, while PixyNetLoader deploys nested malware layers that culminate in a Covenant Grunt backdoor. The group’s phishing lures are in English and localised Romanian, Slovak and Ukrainian, and server-side filtering is used to target geographic regions.
According to Zscaler and Microsoft collaboration, while some PoCs exist, it remains unclear if the wild activity observed by Microsoft matches Operation Neusploit, and CISA has added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog.