Russian Hackers Exploit Patched Microsoft Office Flaw
â–¼ Summary
– Russian state-sponsored hackers Fancy Bear (APT 28) are exploiting a critical Microsoft Office vulnerability (CVE-2026-21509) to bypass security features via malicious Office files.
– The attack uses phishing emails with weaponized RTF files that download droppers, which deploy backdoors like MiniDoor to steal emails or loaders like PixyNetLoader to install additional payloads.
– The primary targets are users in Central and Eastern Europe, including Ukraine, Slovakia, and Romania, with emails written in Romanian, Ukrainian, and English.
– Evidence such as the malware, command-and-control infrastructure, and targeting strongly points to the involvement of the Russia-linked APT28 threat group.
– Ukrainian authorities warn that attacks exploiting this vulnerability are expected to increase, as attackers anticipate targets will be slow to apply the available security patch.
A recently patched vulnerability in Microsoft Office is now being actively exploited by a sophisticated hacking group linked to the Russian government. The flaw, identified as CVE-2026-21509, allows attackers to bypass critical security features in Microsoft 365 and Office by tricking users into opening malicious documents. Despite an emergency fix released by Microsoft, security researchers have already documented a widespread phishing campaign leveraging this weakness to install backdoors on targeted systems.
The exploitation began just days after the patch was available. Researchers at Zscaler identified a phishing operation delivering weaponized RTF files. These files are engineered to exploit the vulnerability and, upon successful execution, download a malicious dropper from a server controlled by the attackers. The campaign utilizes two distinct attack chains. The first variant deploys a malicious VBA project for Microsoft Outlook, dubbed MiniDoor, which is designed to steal a user’s emails and forward them to the threat actor.
The second variant initiates a more complex, multi-stage infection. It starts with a previously undocumented loader called PixyNetLoader, which plants malicious components on the victim’s computer. This loader prepares the Windows environment to download and execute additional payloads, including a Grunt implant associated with the open-source Covenant command-and-control framework.
Targets of these attacks have primarily been located in Central and Eastern Europe, with a focus on Ukraine, Slovakia, and Romania. Phishing emails were crafted in Romanian, Ukrainian, and English to appear legitimate. One malicious document, named “ConsultationTopicsUkraine(Final).doc,” was created a mere day after Microsoft’s out-of-band security update. Its content was tailored to discussions about the European Union’s stance on Ukraine, making it highly relevant to the intended victims.
Another file, “BULLETEN_H.doc,” was distributed to over sixty email addresses, most belonging to Ukrainian central executive authorities. The email impersonated the Ukrainian Hydrometeorological Center. By the end of January 2026, security officials had discovered at least three more documents weaponizing the same flaw. Ukraine’s CERT has warned that attacks exploiting this vulnerability are likely to increase, as attackers anticipate that many targets will be slow to apply the necessary security patch.
Security analysts attribute this campaign to the Russian state-sponsored group known as Fancy Bear or APT28. The evidence includes the specific targets, the use of the MiniDoor backdoor, and the techniques observed in the attacks, such as abusing the Filen cloud storage API for command-and-control communications. While it remains unclear if the group exploited this flaw as a zero-day before Microsoft’s patch, their history of using such vulnerabilities makes it a strong possibility. This incident underscores the critical importance of applying security updates promptly to defend against rapidly evolving cyber threats.
(Source: HelpNet Security)
