ACCORDING to Trellix, the Russian state-sponsored group APT28 (also known as Fancy Bear) weaponised a newly disclosed Microsoft Office flaw, CVE-2026-21509, within 24 hours of its public reveal to spy on NATO-aligned targets across Poland, Ukraine and other nations. The attackers used a 72-hour blitz of spear-phishing emails with convincing lures about “transnational weapons smuggling alerts” and “military training program invitations,” triggering the Office exploit without macros.
Once opened, the document executes the vulnerability and downloads the next stage via a WebDAV-based mechanism, with the group abusing legitimate cloud storage to blend in with normal traffic, including filen[.]io as C2 infrastructure. The operation features a BeardShell implant and a separate NotDoor tool described as an Outlook-focused backdoor for long-term email intelligence collection, which forwards emails to an attacker-controlled address and cleans up by marking and deleting processed messages.
The campaign’s focus on Ukrainian government and military bodies and NATO-aligned targets underlines APT28’s ongoing espionage objectives.