Russian APT28 Exploits Microsoft Office Flaw in Espionage Campaign
In a concerning development for cybersecurity, the Russian state-sponsored hacking group APT28 has been observed exploiting a recently disclosed Microsoft Office vulnerability to conduct espionage-focused malware attacks across Eastern Europe. The campaign, dubbed Operation Neusploit, demonstrates the sophisticated tactics employed by advanced persistent threat actors to infiltrate government and organizational networks.
The vulnerability at the center of these attacks, identified as CVE-2026-21509, is a security feature bypass flaw in Microsoft Office with a CVSS score of 7.8. This rating indicates a high-severity vulnerability that could allow unauthorized attackers to send specially crafted Office files and trigger malicious code execution. The flaw was publicly disclosed by Microsoft on January 26, 2026, and just three days later, security researchers observed APT28 actively weaponizing it in targeted attacks.
Targeted Geographic Focus and Social Engineering Tactics
The campaign has specifically targeted users in Ukraine, Slovakia, and Romania, employing carefully crafted social engineering lures in both English and local languages. This localization strategy suggests a deliberate attempt to maximize the effectiveness of the attacks by ensuring that the deceptive content resonates with the intended victims in each country.
Security researchers from Zscaler ThreatLabs noted that the threat actors implemented sophisticated server-side evasion techniques. The malicious Dynamic Link Library (DLL) files were only delivered when requests originated from the targeted geographic regions and included the correct User-Agent HTTP header. This approach helps the attackers avoid detection by security researchers and automated scanning systems that might not originate from the specific regions being targeted.
Two-Pronged Malware Delivery Strategy
The attack chains observed in Operation Neusploit employ a two-pronged approach to malware delivery. The first method involves exploiting the Microsoft Office vulnerability through a malicious Rich Text Format (RTF) file to deliver a dropper that subsequently installs MiniDoor, an Outlook email stealer. The second approach uses a different dropper called PixyNetLoader, which facilitates the deployment of a COVENANT Grunt implant.
MiniDoor, written in C++, is designed to steal emails from various folders including Inbox, Junk, and Drafts, forwarding them to two hard-coded threat actor email addresses. Security analysts have assessed that MiniDoor is a stripped-down version of NotDoor (also known as GONEPOSTAL), a malware variant documented by S2 Grupo LAB52 in September 2025. This evolution of existing malware tools demonstrates APT28's ongoing refinement of their cyber espionage toolkit.
Advanced Persistence and Evasion Techniques
The PixyNetLoader infection chain represents a more sophisticated attack methodology. This dropper is responsible for delivering additional components embedded within it and establishing persistence on compromised hosts using COM object hijacking. Among the extracted payloads are a shellcode loader named "EhStoreShell.dll" and a PNG image file called "SplashScreen.png."
The shellcode loader employs steganography to conceal malicious code within the PNG image, a technique that allows the malware to hide in plain sight. Notably, the loader only activates its malicious logic under specific conditions: the infected machine must not be an analysis environment, and the host process that launched the DLL must be "explorer.exe." If these conditions are not met, the malware remains dormant, significantly complicating detection and analysis efforts by security researchers.
The shellcode ultimately loads an embedded .NET assembly, which is a Grunt implant associated with the open-source .NET COVENANT command-and-control framework. This framework provides APT28 with robust capabilities for maintaining persistent access to compromised systems and exfiltrating sensitive data.
Connection to Previous Operations and Evolving Tradecraft
Security researchers have identified significant overlaps between Operation Neusploit and APT28's previous campaign, Operation Phantom Net Voxel, which was highlighted by Sekoia in September 2025. While the earlier campaign utilized VBA macros for initial access, the current operation replaces this with DLL-based exploitation while retaining similar techniques including COM hijacking, DLL proxying, XOR string encryption, and the use of steganography within PNG files.
This evolution in tactics demonstrates APT28's adaptability and their continuous refinement of established methodologies. The group's ability to quickly transition from macro-based attacks to exploiting newly disclosed vulnerabilities indicates a high level of operational readiness and technical sophistication.
Broader Implications and Regional Security Concerns
The Computer Emergency Response Team of Ukraine (CERT-UA) has also issued warnings about APT28's exploitation of CVE-2026-21509, reporting that the group targeted more than 60 email addresses associated with central executive authorities in Ukraine. Metadata analysis of the lure documents revealed creation dates of January 27, 2026, suggesting the campaign was being prepared even before the vulnerability was publicly disclosed.
During investigations, researchers discovered that opening the malicious documents using Microsoft Office led to establishing network connections to external resources using the WebDAV protocol. This observation highlights the multifaceted nature of the attacks, combining vulnerability exploitation with network-level techniques to establish and maintain access to compromised systems.
While this particular campaign has focused on Eastern European targets, the techniques employed by APT28 represent a broader threat to organizations worldwide. The rapid weaponization of newly disclosed vulnerabilities, sophisticated evasion techniques, and persistent targeting of government entities underscore the ongoing challenges faced by cybersecurity professionals in defending against state-sponsored threat actors.
The disclosure of Operation Neusploit serves as a stark reminder of the importance of timely software updates and robust security measures. Organizations in all sectors, particularly those in government and critical infrastructure, must remain vigilant against such sophisticated threats and implement comprehensive security strategies that include regular patching, network monitoring, and employee training to recognize social engineering attempts.