ACCORDING to Zscaler ThreatLabz, the Russia-linked group APT28 is behind Operation Neusploit, a campaign that exploits a newly disclosed Microsoft Office vulnerability tracked as CVE-2026-21509 and targets Central and Eastern Europe using weaponised RTF files to deploy MiniDoor, PixyNetLoader and Covenant Grunt implants.
The campaign, detected in January 2026, used social engineering lures in English and local languages (Romanian, Slovak, Ukrainian) to coax victims in Ukraine, Slovakia and Romania, with in-the-wild exploitation observed from late January 2026. Microsoft released out-of-band security updates on 26 January 2026 to address the flaw, and ThreatLabz notes that CVE-2026-21509 allows a security feature bypass via untrusted inputs in Office, enabling local bypass of protections when a user opens a malicious file.
The attack chains begin with a weaponised RTF file exploiting CVE-2026-21509; one path drops MiniDoor to forward victims’ emails to attacker-controlled addresses, while the other deploys PixyNetLoader to achieve persistence through COM hijacking and scheduled tasks, eventually loading a Covenant Grunt shellcode in memory. ThreatLabz attributes the activity to APT28 with high confidence, aligning targets and tooling with the group’s past focus on Central and Eastern Europe. The article notes that the Office Preview Pane is not affected and that Microsoft has not disclosed further technical details about the attacks.