Microsoft: Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days

Russian APT28 Exploits Microsoft Office Zero-Day Within Days of Patch Release

Russia-linked advanced persistent threat (APT) group APT28 (also known as Fancy Bear, Sofacy, or Sednit) has rapidly weaponized CVE-2026-21509, a recently patched zero-day vulnerability in Microsoft Office, to conduct cyber-espionage attacks targeting organizations in Central and Eastern Europe.

The flaw, a security feature bypass in Microsoft 365 and Office, allows attackers to execute arbitrary code via unsafe COM/OLE behavior. Microsoft released a patch on January 26, 2026, after confirming active exploitation, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities Catalog the same day.

APT28 began exploiting the vulnerability just three days later, on January 29, as part of a campaign tracked by Zscaler as Operation Neusploit. The attacks use malicious Microsoft Rich Text Format (RTF) documents to trigger a multistage infection chain, delivering payloads designed to steal emails and establish persistence on compromised systems.

Key Attack Details

• Exploitation Method: APT28 leverages phishing lures in English, Romanian, Slovak, and Ukrainian, employing server-side filtering to deliver malicious DLLs only to targeted regions and systems with expected headers.
• Malware Payloads:
  • MiniDoor: A lightweight Visual Basic for Applications (VBA) tool designed to exfiltrate emails from Microsoft Outlook.
  • PixyNetLoader: A more complex dropper that deploys nested malicious code, ultimately loading a Covenant Grunt backdoor (a repurposed penetration testing tool).
• Command-and-Control (C2): APT28 abuses Filen.io, a legitimate cloud service, for C2 communications, prompting recommendations to monitor or block related traffic.
• Evasion Techniques: The attack chain includes WebDAV downloads, COM hijacking, shellcode hidden in PNG files, and the use of the Covenant framework for post-exploitation.

Impact & Response

Security researchers, including Zscaler’s Deepen Desai and Xcape’s Noelle Murata, emphasize the speed and sophistication of APT28’s exploitation. While no other threat groups have been observed abusing the flaw yet, proof-of-concept (PoC) exploits have been released, increasing the risk of broader adoption.

Microsoft has provided registry configurations to mitigate the vulnerability, though organizations must restart Office applications for protections to take effect. The incident underscores the rapid weaponization of vulnerabilities by state-sponsored actors, particularly those with the resources to exploit complex flaws before widespread patching occurs.

Source: https://www.darkreading.com/cyberattacks-data-breaches/russian-hackers-weaponize-office-bug-within-days

Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security

"id": "MIC1770195437",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'location': 'Central and Eastern Europe',
                        'type': 'Organizations'}],
 'attack_vector': 'Phishing (Malicious RTF Documents)',
 'data_breach': {'data_exfiltration': 'Yes (MiniDoor tool for email '
                                      'exfiltration)',
                 'file_types_exposed': 'RTF, DLL, PNG (shellcode)',
                 'sensitivity_of_data': 'High (Potential classified or '
                                        'sensitive communications)',
                 'type_of_data_compromised': 'Emails'},
 'date_detected': '2026-01-29',
 'date_publicly_disclosed': '2026-01-26',
 'description': 'Russia-linked advanced persistent threat (APT) group APT28 '
                '(also known as Fancy Bear, Sofacy, or Sednit) has rapidly '
                'weaponized CVE-2026-21509, a recently patched zero-day '
                'vulnerability in Microsoft Office, to conduct cyber-espionage '
                'attacks targeting organizations in Central and Eastern '
                'Europe. The flaw allows attackers to execute arbitrary code '
                'via unsafe COM/OLE behavior. APT28 began exploiting the '
                'vulnerability just three days after Microsoft released a '
                'patch on January 26, 2026, as part of a campaign tracked as '
                'Operation Neusploit. The attacks use malicious Microsoft Rich '
                'Text Format (RTF) documents to deliver payloads designed to '
                'steal emails and establish persistence on compromised '
                'systems.',
 'impact': {'data_compromised': 'Emails, System Persistence',
            'operational_impact': 'Email exfiltration, Backdoor establishment',
            'systems_affected': 'Microsoft Office, Microsoft 365, Microsoft '
                                'Outlook'},
 'initial_access_broker': {'backdoors_established': 'Covenant Grunt backdoor',
                           'entry_point': 'Phishing (Malicious RTF Documents)'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'The incident underscores the rapid weaponization of '
                    'vulnerabilities by state-sponsored actors, particularly '
                    'those with the resources to exploit complex flaws before '
                    'widespread patching occurs.',
 'motivation': 'Espionage',
 'post_incident_analysis': {'corrective_actions': 'Patch deployment, enhanced '
                                                  'monitoring, registry '
                                                  'mitigations, phishing '
                                                  'awareness training',
                            'root_causes': 'Unpatched Microsoft Office '
                                           'vulnerability (CVE-2026-21509), '
                                           'phishing attacks'},
 'recommendations': ["Apply Microsoft's patch for CVE-2026-21509 immediately",
                     'Restart Office applications to ensure protections take '
                     'effect',
                     'Monitor or block traffic to Filen.io for C2 '
                     'communications',
                     'Implement registry configurations to mitigate the '
                     'vulnerability',
                     'Enhance phishing awareness and email security measures'],
 'references': [{'source': 'Zscaler'},
                {'source': 'Xcape (Noelle Murata)'},
                {'source': 'Microsoft'},
                {'source': 'CISA Known Exploited Vulnerabilities Catalog'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA Known Exploited '
                                                       'Vulnerabilities '
                                                       'Catalog (January 26, '
                                                       '2026)'},
 'response': {'containment_measures': 'Registry configurations to mitigate the '
                                      'vulnerability, monitoring/blocking '
                                      'Filen.io traffic',
              'enhanced_monitoring': 'Monitoring for Filen.io C2 traffic',
              'remediation_measures': 'Microsoft patch (January 26, 2026), '
                                      'restarting Office applications for '
                                      'protections to take effect',
              'third_party_assistance': 'Zscaler, Xcape'},
 'threat_actor': 'APT28 (Fancy Bear, Sofacy, Sednit)',
 'title': 'Russian APT28 Exploits Microsoft Office Zero-Day Within Days of '
          'Patch Release',
 'type': 'Cyber-Espionage',
 'vulnerability_exploited': 'CVE-2026-21509 (Microsoft Office Security Feature '
                            'Bypass)'}