THE Russian cyberespionage group APT28 rapidly weaponised a recently patched Office vulnerability, with the first attacks observed just days after Microsoft issued fixes for CVE-2026-21509. Microsoft disclosed the patch on 26 January, and Zscaler linked the campaign to APT28 with high confidence, noting the delivery of a dropper that then deployed other malware such as MiniDoor and PixyNetLoader.
The dropper facilitated the Covenant Grunt implant, providing remote access and post-exploitation capabilities, and the attacks targeted users across Central and Eastern Europe, including Slovakia, Romania and Ukraine. Ukraine’s CERT-UA and Zscaler both highlighted social engineering in English and multiple local languages to lure victims. The first malicious file was spotted on 29 January, while evidence from CERT-UA indicated the weaponised document was created on 27 January, the day after patches were announced. Indicators of compromise have been shared by Zscaler and CERT-UA to aid defenders.