Fancy Bear (APT28) Launches "Operation Neusploit" Exploiting Zero-Day in Microsoft RTF Files
The Russia-linked cyber espionage group Fancy Bear (APT28, Sofacy, Sednit) has initiated Operation Neusploit, a sophisticated campaign leveraging CVE-2026-21509, a zero-day vulnerability in Microsoft RTF files. The flaw enables arbitrary code execution, allowing attackers to deploy backdoors and email-stealing malware on compromised systems.
The campaign primarily targets government and military organizations in Central and Eastern Europe, with a focus on Ukraine, Slovakia, and Romania. Attackers distribute malicious RTF documents via phishing emails, using social engineering lures in English, Romanian, Slovak, and Ukrainian. These documents often mimic official government communications to increase credibility.
Once opened, the exploit triggers a multi-stage infection chain. The malware employs evasion techniques, checking User-Agent strings and geographic locations before delivering its payload. If conditions are met, it downloads a malicious dropper DLL, which installs additional components like MiniDoor and PixyNetLoader.
MiniDoor modifies registry keys to downgrade Outlook security, extracting encrypted scripts to steal emails, while PixyNetLoader uses steganography, hiding malicious shellcode in PNG files. The malware establishes persistent access via COM hijacking, ensuring it survives reboots and evades detection.
The attack exfiltrates sensitive data from Microsoft Outlook, monitoring and saving emails before sending them to attacker-controlled servers. Communication with command-and-control servers is encrypted, further complicating detection.
Key Details:
- Vulnerability: CVE-2026-21509 (RTF parsing flaw)
- Patch Released: January 26, 2026 (out-of-band update)
- First Detected: January 29, 2026
- Attack Vector: Phishing emails with malicious RTF attachments
- Impact: Backdoor deployment, email theft, persistent access
Polyswarm analysts identified the malware, noting its ability to bypass traditional security measures. The campaign underscores the ongoing threat posed by state-sponsored actors to critical infrastructure in the region.
Source: https://cybersecuritynews.com/fancy-bear-hackers-exploiting-microsoft-zero-day-vulnerability/
Secretariat of Cabinet of Ministers of Ukraine cybersecurity rating report: https://www.rankiteo.com/company/secretariat-of-cabinet-of-ministers-of-ukraine
National Council of the Slovak Republic cybersecurity rating report: https://www.rankiteo.com/company/national-council-of-the-slovak-republic
"id": "SECNAT1770724511",
"linkid": "secretariat-of-cabinet-of-ministers-of-ukraine, national-council-of-the-slovak-republic",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Government/Military',
'location': 'Ukraine, Slovakia, Romania',
'type': 'Government'},
{'industry': 'Government/Military',
'location': 'Ukraine, Slovakia, Romania',
'type': 'Military'}],
'attack_vector': 'Phishing emails with malicious RTF attachments',
'data_breach': {'data_encryption': 'Encrypted communication with C2 servers',
'data_exfiltration': 'Yes',
'file_types_exposed': 'Emails, RTF files',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Emails, Sensitive '
'communications'},
'date_detected': '2026-01-29',
'description': 'Fancy Bear (APT28) launched Operation Neusploit, a campaign '
'exploiting CVE-2026-21509, a zero-day vulnerability in '
'Microsoft RTF files. The flaw enables arbitrary code '
'execution, allowing attackers to deploy backdoors and '
'email-stealing malware on compromised systems. The campaign '
'targets government and military organizations in Central and '
'Eastern Europe, particularly Ukraine, Slovakia, and Romania, '
'via phishing emails with malicious RTF attachments.',
'impact': {'data_compromised': 'Sensitive emails from Microsoft Outlook',
'operational_impact': 'Persistent access to compromised systems, '
'email theft',
'systems_affected': "Government and military organizations' "
'systems with Microsoft Outlook'},
'initial_access_broker': {'backdoors_established': 'MiniDoor, PixyNetLoader',
'entry_point': 'Phishing emails with malicious RTF '
'attachments',
'high_value_targets': 'Government and military '
'organizations'},
'motivation': 'Espionage, Data Theft',
'post_incident_analysis': {'corrective_actions': 'Patch management, phishing '
'resistance training, '
'enhanced monitoring for '
'registry modifications and '
'COM hijacking, '
'steganography detection',
'root_causes': 'Exploitation of zero-day '
'vulnerability (CVE-2026-21509), '
'lack of patching, phishing '
'susceptibility'},
'recommendations': "Apply Microsoft's out-of-band patch for CVE-2026-21509, "
'enhance phishing awareness training, monitor for unusual '
'registry modifications and COM hijacking, and implement '
'steganography detection tools.',
'references': [{'source': 'Polyswarm'}],
'response': {'remediation_measures': 'Microsoft released an out-of-band patch '
'(January 26, 2026)',
'third_party_assistance': 'Polyswarm analysts'},
'threat_actor': 'Fancy Bear (APT28, Sofacy, Sednit)',
'title': 'Operation Neusploit by Fancy Bear (APT28)',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'CVE-2026-21509 (RTF parsing flaw)'}