In the latest illustration of how quickly attackers can exploit newly disclosed flaws, Russia's notorious APT28 cyber-espionage group has begun abusing a recently patched Microsoft vulnerability to steal emails and deploy malicious payloads against organizations in Central and Eastern Europe.
CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office for which Microsoft rushed an out-of-cycle patch on Jan. 26 after confirming active zero-day exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its database of known exploited vulnerabilities at the time.
Speedy Exploit
According to Zscaler researchers, APT28 began exploiting the flaw just three days later, on Jan. 29, as part of a campaign they are tracking as Operation Neusploit. The attacks rely on specially crafted Microsoft Rich Text Format (RTF) documents to trigger the vulnerability and kick off a multistage infection chain that delivers different malicious payloads, Zscaler said in a report this week.
Related:ShinyHunters Expands Scope of SaaS Extortion Attacks
To increase the likelihood of success, the threat actor is using phishing lures written in English as well as localized versions of Romanian, Slovak, and Ukrainian. As part of an effort to maintain a low profile, APT28 is employing server-side filtering to deliver malicious data link libraries (DLLs) only when requests originate from targeted geographic regions and also include the expected email or client headers.
"We cannot confirm whether the CVE-2026-21509 exploitation activity observed in the wild by Microsoft is the same as Operation Neusploit," says Deepen Desai, executive vice president and chief security officer (CSO) at Zscaler, in comments to Dark Reading. "We can confirm that we are actively collaborating with Microsoft and sharing our Operation Neusploit findings."
A Long-Standing Threat
APT28, also known as Fancy Bear, Sofacy, and Sednit, is a Russia-linked advanced persistent threat (APT) group that the US government and others have linked to Russia's GRU military intelligence service. The cyberespionage group has been active since at least 2007 and is known for its ability to rapidly weaponize new vulnerabilities and constantly evolve its arsenal of malicious tools. It is associated with numerous attacks on government entities, military organizations, security firms, and critical infrastructure targets in North America, Europe, and elsewhere. Other high profile attacks include a breach of the Democratic National Committee and attacks on the World Anti-Doping Agency.
Related:Chinese APTs Hacking Asian Orgs With High-End Malware
... continue reading