ACCORDING to The Hacker News, the Russia-linked threat actor APT28 (aka UAC-0001) has been linked to attacks exploiting Microsoft Office CVE-2026-21509 as part of Operation Neusploit. Zscaler ThreatLabz observed the group weaponising the flaw on 29 January 2026, in campaigns targeting Ukraine, Slovakia and Romania. The vulnerability is a CVSS 7.8 security feature bypass that could allow an unauthorised attacker to trigger code via a specially crafted Office file.
Security researchers described lure documents in English and local languages, with server-side evasion ensuring the malicious DLL only activates for targeted regions and specific User-Agent headers. The attack chains use a malicious RTF file to deploy two droppers: MiniDoor, which steals emails and forwards them to two hard-coded addresses, and PixyNetLoader, which culminates in Covenant Grunt deployment.
CERT-UA corroborated the activity, noting that APT28 exploited CVE-2026-21509 via Word documents to target more than 60 central executive authorities in Ukraine, with one lure document created on 27 January 2026.