RUSSIA-LINKED APT28 reportedly exploited the MSHTML zero-day CVE-2026-21513 before Microsoft patched it, a high-severity flaw that was addressed in February 2026. According to Akamai, the vulnerability, an Internet Explorer security control bypass that can enable code execution when a victim opens a malicious HTML page or a LNK file, was used in real-world attacks prior to the patch.
Akamai researchers traced the issue to hyperlink navigation logic in ieframe[.]dll and found that poor URL validation allowed attacker input to reach ShellExecuteExW, enabling code execution outside the browser sandbox. The exploitation involved a specially crafted Windows Shortcut (.lnk) embedding an HTML file, with a payload linked to APT28 infrastructure and a domain well known to be used in the campaign.
A malicious sample uploaded to VirusTotal in January 2026, linked to APT28, was identified during the investigation. The report notes that, while the campaign leveraged .LNK files, the vulnerable code path can be triggered by any component embedding MSHTML, suggesting additional delivery methods beyond phishing may be expected.