Fancy Bear Targets Ukraine, EU with Microsoft Office Flaw
▼ Summary
– The Russian-linked hacking group Fancy Bear exploited a high-severity Microsoft Office vulnerability (CVE-2026-21509) to attack Ukrainian and EU organizations.
– The attack used a malicious Word document that, when opened, downloaded a payload and executed a chain of actions, including COM hijacking and deploying the Covenant C2 framework.
– CERT-UA identified the malicious document on January 29, noting it was created the day after Microsoft’s public disclosure of the vulnerability on January 26.
– The attack campaign involved emails impersonating a Ukrainian agency and targeted over 60 government addresses, with additional documents later found targeting EU countries.
– Microsoft confirmed active exploitation and urged users to update, while CERT-UA recommended blocking the Filen cloud service used for command and control and applying Microsoft’s mitigations.
A Russian-linked cyber espionage group known as Fancy Bear has been observed actively exploiting a critical Microsoft Office vulnerability to target organizations in Ukraine and the European Union. The campaign, detailed by Ukraine’s national Computer Emergency Response Team (CERT-UA), leverages a flaw in Microsoft Office’s security mechanisms to bypass protections and deploy sophisticated malware. This activity underscores the persistent threat posed by state-aligned actors to governmental and critical infrastructure entities, highlighting the urgent need for prompt software updates and heightened network monitoring.
The Ukrainian cyber threat intelligence unit issued its public warning on February 2nd. Its investigation began on January 29th with the discovery of a malicious Word document titled ‘ConsultationTopicsUkraine(Final).doc’. This file weaponized a vulnerability tracked as CVE-2026-21509, a high-severity flaw with a CVSS score of 7.8. The vulnerability, which Microsoft disclosed on January 26th, stems from an over-reliance on untrusted inputs within Office’s security decisions. It allows attackers to circumvent object linking and embedding (OLE) mitigations, which normally shield users from malicious COM and OLE controls.
Microsoft’s own advisory confirmed it had detected active exploitation of this flaw. The company strongly urged users of Office 2016 and 2019 to install the available security update immediately. For customers on Office 2021 and later versions, protection is delivered via a service-side update, though a restart of Office applications is required for it to become effective. CERT-UA analysts warned that given the likely delay in users applying patches, a significant increase in attacks exploiting this vulnerability is expected.
Analysis of the malicious document’s metadata showed it was created on January 27th, just one day after Microsoft’s public disclosure, indicating a rapid operational turnaround by the threat actors. The document was crafted to appear related to consultations by the EU’s Committee of Permanent Representatives (COREPER) concerning Ukraine. On that same day, CERT-UA also received reports of a separate phishing campaign. This involved emails spoofing the Ukrainian Hydrometeorological Center (UkrHMC) and containing an attachment named ‘BULLETEN_H.doc’, which was sent to over sixty addresses within Ukrainian government bodies.
The attack chain is technically intricate. When the malicious document is opened in a vulnerable version of Microsoft Office, it initiates a network connection via the WebDAV protocol to an external server. This connection downloads a file disguised as a Windows shortcut (LNK), which contains code to fetch and execute a final payload. Successful execution triggers a multi-stage process designed to establish persistence and control.
This process includes creating a malicious DLL file named “EhStoreShell.dll” to mimic a legitimate Windows library, generating an image file containing shellcode, and modifying a specific Windows Registry Class ID (CLSID) to achieve COM hijacking. A scheduled task named ‘OneDriveHealth’ is also created. The culmination of these actions forces the `explorer.exe` process to restart, which then loads the malicious DLL through the hijacked COM object. This DLL executes the shellcode, ultimately deploying the Covenant command and control framework on the infected system.
Covenant is a powerful, open-source C2 framework built on .NET, commonly used in red team exercises and, in this case, offensive cyber operations. A notable aspect of this campaign is its use of infrastructure tied to the legitimate cloud storage service Filen for C2 communications. CERT-UA advises organizations that could be in Fancy Bear’s crosshairs to consider blocking or meticulously monitoring any network traffic to nodes associated with this cloud service.
By late January 2026, investigators had identified three additional malicious documents using the same exploit, this time aimed at entities within EU member states. In light of these ongoing threats, CERT-UA reiterates the critical importance of implementing all mitigation measures prescribed by Microsoft, with particular attention to the recommended Windows registry configuration changes that can help block the exploitation path.
(Source: Info Security)
