THE article reports that the Russia-linked threat group APT28 (Fancy Bear) has resurfaced with a campaign named Operation Neusploit, targeting Central and Eastern Europe, including Ukraine, Slovakia and Romania. According to Zscaler ThreatLabz, the operation exploits CVE-2026-21509 in Microsoft Office using specially crafted RTF files to deliver backdoors in a multi‑stage infection chain, marking a shift from macros to weaponised RTFs.
The infection sequence, dubbed PixyNetLoader, uses evasion techniques such as COM hijacking for execution and DLL proxying to hide activity from security software, with MiniDoor described as a streamlined implant replacing backdoor functionality with an email‑stealing capability. The campaign began in January 2026, and Microsoft released an out‑of‑band update addressing CVE-2026-21509 on 26 January 2026, after which ThreatLabz noted active exploitation just three days later.
The researchers highlight continued use of steganography, embedding Covenant Grunt and its shellcode loader in a PNG, to bypass network defenses. Infrastructure overlaps and coding style have led ThreatLabz to attribute the activity to APT28 with high confidence.