Russian Hackers Attack Using New Microsoft Office Bug
▼ Summary
– Russian hackers (APT28) are exploiting a patched Microsoft Office vulnerability (CVE-2026-21509) in attacks against Ukraine, using malicious documents themed around EU consultations.
– The attacks were detected just days after Microsoft’s emergency security update, and metadata suggests the malicious document was created after the patch was available.
– Opening the document triggers a complex infection chain that installs the COVENANT malware framework via COM hijacking, a malicious DLL, and hidden shellcode.
– The campaign extends beyond Ukraine, with APT28 using similar documents against EU-based organizations, and uses the Filen cloud storage service for command-and-control.
– Organizations are urged to apply Microsoft’s security update immediately or implement registry-based mitigations, as Defender’s Protected View can block files from the internet.
A newly patched vulnerability in Microsoft Office is being actively exploited by Russian state-backed hackers in targeted attacks against Ukrainian and European Union entities. Ukraine’s Computer Emergency Response Team (CERT-UA) has identified that the threat group APT28, also known as Fancy Bear, is leveraging the flaw, tracked as CVE-2026-21509, to deliver sophisticated malware. Microsoft issued an emergency security update for this zero-day on January 26, but malicious campaigns were detected just days later.
The attacks involve phishing emails distributing malicious DOC files. These documents are cleverly themed, with some impersonating communications regarding EU COREPER consultations in Ukraine and others spoofing the Ukrainian Hydrometeorological Center. One campaign targeted over sixty government email addresses. Intriguingly, forensic analysis shows the malicious document was created a day after Microsoft’s patch release, suggesting the attackers quickly adapted their tools.
When a user opens the compromised document, it initiates a complex WebDAV-based download chain. This process installs malware through a technique called COM hijacking, utilizing a malicious DLL file named EhStoreShell.dll. The attack further conceals shellcode within an image file, SplashScreen.png, and establishes persistence via a scheduled task named OneDriveHealth. This task forces the explorer.exe process to restart, which then loads the malicious DLL. That DLL executes the hidden shellcode, ultimately deploying the COVENANT framework, a powerful post-exploitation tool, onto the victim’s computer.
This malware loader has been linked to APT28 before. In June 2025, the same group used compromised Signal chats to deliver BeardShell and SlimAgent malware to Ukrainian government agencies. In the current campaign, investigators found that COVENANT uses the Filen cloud storage service for command-and-control communications. Security teams are advised to monitor or block connections to this platform to help mitigate the threat.
The campaign’s scope appears to be widening. CERT-UA discovered three additional malicious documents used in attacks against various organizations based within the European Union, indicating the operation extends beyond Ukraine’s borders. In one instance, the domains supporting these attacks were all registered on the same day, pointing to coordinated preparation.
To defend against these exploits, organizations must urgently apply Microsoft’s latest security updates. The patches cover Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. Users of Office 2021 and later versions need to restart their applications to ensure the updates take full effect. If immediate patching is not feasible, administrators should implement the registry-based workarounds Microsoft has provided. The company also notes that Defender’s Protected View feature offers an additional safeguard by automatically blocking Office files downloaded from the internet unless they are explicitly marked as trusted.
(Source: Bleeping Computer)
