Ukraine’s Computer Emergency Response Team (CERT) says that Russian hackers are exploiting CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office.
On January 26, Microsoft released an emergency out-of-band security update marking CVE-2026-21509 as an actively exploited zero-day flaw.
CERT-UA detected the distribution of malicious DOC files exploiting the flaw, themed around EU COREPER consultations in Ukraine, just three days after Microsoft's alert.
In other cases, the emails impersonated the Ukrainian Hydrometeorological Center and were sent to over 60 government-related addresses.
However, the agency says that the metadata associated with the document shows that it was created one day after the emergency update.
The Ukrainian CERT attributed these attacks to APT28, a nation-state threat actor also known as Fancy Bear and Sofacy and associated with Russia's General Staff Main Intelligence Directorate (GRU).
Opening the malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth).
Malicious document triggering exploitation of CVE-2026-21509
Source: CERT-UA
“The scheduled task execution leads to termination and restart of the explorer.exe process, which, among other things, thanks to COM hijacking, ensures loading of the “EhStoreShell.dll” file,” CERT-UA says in the report.
... continue reading