ACCORDING to Trellix, Russian-state hackers weaponised a critical Microsoft Office vulnerability, CVE-2026-21509, less than 48 hours after Microsoft released an unscheduled security update late last month, to compromise devices inside diplomatic, maritime, and transport organisations across more than half a dozen countries.
The 72-hour spear-phishing campaign began on January 28 and delivered at least 29 distinct email lures to organisations in nine countries, with targets including defence ministries, transportation/logistics operators, and diplomatic entities. The campaign used two novel backdoor implants, BeardShell and NotDoor, designed to operate in memory and evade endpoint protection, with infection chains that utilised compromised government accounts and cloud-based command-and-control channels.
NotDoor relied on a VBA macro and was triggered after disabling Outlook’s macro security controls, enabling the backdoor to monitor email folders and exfiltrate data via attacker-controlled cloud accounts. Trellix attributed the attacks to APT28 with high confidence, and Ukraine’s CERT-UA has attributed the operations to UAC-0001, a name that corresponds to APT28.