Within days of Microsoft releasing an emergency security update for Microsoft Office, the Russian-linked threat group APT28 (also known as Fancy Bear, Sofacy, and Forest Blizzard) integrated a working exploit for the critical vulnerability CVE-2026-21509 into its toolkit. According to analysis by Zscaler, the group launched a focused phishing campaign against organizations in Ukraine and several Central and Eastern European countries, underlining how rapidly advanced threat actors now weaponize fresh patches.
What Is CVE-2026-21509 in Microsoft Office and Why It Matters
At the end of January 2026, Microsoft issued an out-of-band security update to fix CVE-2026-21509, a critical vulnerability in Microsoft Office related to bypassing protections against malicious COM/OLE components. These technologies are used by Windows and Office to allow different software components to communicate and embed content.
The flaw enables stealthy remote code execution: an attacker can run arbitrary code on a victim’s system simply by convincing the user to open a specially crafted document. Microsoft confirmed that the bug was already being exploited as a zero-day and urged organizations to apply the patch immediately.
Zscaler reports that the first malicious document exploiting CVE-2026-21509 was created on 27 January, roughly 24 hours after the patch was released. This suggests APT28 quickly performed reverse engineering of the update, extracted details of the fix, and built a reliable exploit in record time. This aligns with an industry-wide trend: the “patch-to-weaponization” window for high-impact vulnerabilities is increasingly shrinking from weeks to just days.
Targeted Phishing Campaigns Against Ukraine and Central & Eastern Europe
The initial access vector in this operation was targeted phishing. Attackers sent emails that mimicked official correspondence and analytical reports from European institutions working with Ukraine, making the messages appear trustworthy to their intended recipients.
Decoy documents were prepared in English, Romanian, Slovak, and Ukrainian, increasing credibility and helping the content evade simple language-based detection filters. This localized approach is characteristic of APT28, which historically focuses on diplomatic, defense, energy, and government entities across Eastern Europe.
In addition to Ukrainian targets, Zscaler observed attacks against organizations in Slovakia, Romania, and other Central and Eastern European countries. The selected geography and victim profile are consistent with APT28’s long-term strategic interest in regional political, military, and critical infrastructure sectors.
Attack Chain: From Office Document to Covenant C2
Abuse of WebDAV and COM Hijacking for Persistence
Once a victim opened a malicious Office file, the exploit triggered a multi-stage infection chain using WebDAV, a network protocol that allows remote files to be accessed as if they were stored locally. By leveraging WebDAV, the attackers could dynamically retrieve additional payloads from remote servers without embedding all components directly inside the document.
For persistence and stealth, the operation relied on COM hijacking. In simple terms, COM hijacking involves replacing or redirecting legitimate Windows COM components so that when the system or an application calls a trusted function, malicious code is executed instead.
In this campaign, the following elements were observed:
- A malicious library named EhStoreShell.dll used to intercept normal COM operations.
- Shellcode concealed inside an image file SplashScreen.png, a classic use of steganography to hide executable code within seemingly harmless media.
- A scheduled task called OneDriveHealth to automatically start the malicious components and maintain persistence across reboots.
Deployment of Covenant C2 and Additional Malware
The final stage of the compromise was the deployment of Covenant, a powerful open-source command-and-control (C2) framework used for remote administration of compromised hosts. APT28 had previously leveraged Covenant in mid-2025 to deliver malware families such as BeardShell and SlimAgent, indicating that this framework is now a stable part of the group’s arsenal.
For communication with C2 servers, the attackers used the cloud file-hosting service Filen. Routing C2 traffic through a legitimate cloud provider makes network-based detection and blocking significantly more difficult, as malicious traffic blends into normal encrypted cloud usage.
Alongside Covenant, the operation distributed at least two additional malware components:
- MiniDoor – a credential and data stealer focused on Microsoft Outlook, abusing macros and client automation features to access and exfiltrate email contents.
- PixyNetLoader – a loader used to deploy Covenant Grunt agents with capabilities for remote access, data collection, lateral movement, and other post-exploitation tasks.
Strategic Implications and Key Cybersecurity Lessons
The combination of a Microsoft Office zero-day (CVE-2026-21509), multilingual spear-phishing, COM hijacking, steganography, and cloud-based C2 channels demonstrates a mature, multi-layered intrusion strategy. Operations of this type are not designed for quick hits: they aim for long-term covert access, internal reconnaissance, and preparation for potential disruptive or influence campaigns.
This incident highlights several critical lessons for organizations, especially in Ukraine and across Europe’s government, defense, and critical infrastructure sectors:
- Accelerated patch management: Emergency patches for Office and Windows should be tested and deployed within hours or, at most, a few days. The effective exposure window now begins as soon as a patch is released and adversaries start reverse engineering it.
- Strengthened email security: Enforce multi-factor authentication, advanced attachment and URL filtering, document sandboxing, and continuous phishing awareness training for staff, with an emphasis on localized and high-quality lures.
- Monitoring of subtle persistence mechanisms: Log and analyze anomalous COM activity, new or modified Scheduled Tasks, and unexpected WebDAV usage, which can serve as reliable early indicators of compromise.
- Restrictive Office macro policies: Disable macros by default and implement a policy of “macros only from trusted, signed sources,” especially for high-risk departments such as finance, legal, and executive leadership.
Organizations that tighten their vulnerability management processes, rigorously control Office and email usage, and invest in modern threat detection—covering endpoints, identity, and network telemetry—significantly reduce the likelihood that groups like APT28 can gain and maintain footholds in their environments. Proactive monitoring for techniques such as COM hijacking, suspicious scheduled tasks, and cloud-based C2 traffic is no longer optional; it is a prerequisite for resilient cybersecurity in the current threat landscape.
