The Russia-linked state-sponsored cyberespionage group tracked as APT28, also known as UAC-0001, has been linked to a wave of targeted attacks exploiting a recently disclosed Microsoft Office vulnerability. The activity is part of a campaign referred to as Operation Neusploit, according to findings released by Zscaler ThreatLabz.
Zscaler researchers said they observed the group actively exploiting the flaw on January 29, 2026, just three days after Microsoft publicly disclosed the vulnerability. The attacks targeted users in Ukraine, Slovakia, and Romania, underscoring the group’s continued focus on Eastern Europe.
The vulnerability, tracked as CVE-2026-21509 and assigned a CVSS score of 7.8, is a security feature bypass in Microsoft Office. Exploitation allows an attacker to send a specially crafted Office document that can trigger malicious code execution when opened by the victim.
“Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries,” security researchers Sudeep Singh and Roy Tay said. “The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.”
According to Zscaler, the attack chain begins with a malicious RTF document that exploits CVE-2026-21509 to deliver one of two droppers, depending on the campaign path. One variant is designed to deploy an Outlook email-stealing malware known as MiniDoor, while the second, called PixyNetLoader, facilitates a more complex intrusion resulting in the deployment of a Covenant Grunt implant.
The MiniDoor pathway involves a C++-based DLL that harvests emails from multiple Outlook folders, including Inbox, Junk, and Drafts. The stolen data is exfiltrated to two hard-coded email addresses controlled by the threat actor: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. Researchers assess MiniDoor to be a stripped-down version of NotDoor, also known as GONEPOSTAL, which was previously documented by S2 Grupo LAB52 in September 2025.
The PixyNetLoader route represents a more advanced infection chain. This dropper extracts multiple embedded components and establishes persistence through COM object hijacking. Among the extracted files are a shellcode loader named EhStoreShell.dll and a PNG image file called SplashScreen.png.
The loader’s function is to extract shellcode hidden within the image using steganography and then execute it. However, the malicious logic is only activated if specific conditions are met. The loader verifies that the system is not an analysis or sandbox environment and that the DLL was launched by the explorer.exe process. If these checks fail, the malware remains dormant.
Once executed, the shellcode loads an embedded .NET assembly associated with the open-source Covenant command-and-control framework. The final payload is a Grunt implant, which enables the attackers to maintain remote access and control over the compromised system.
Zscaler noted strong similarities between this activity and a previously documented APT28 campaign. “The PixyNetLoader infection chain shares notable overlap with Operation Phantom Net Voxel,” the company said. “Although the earlier campaign used a VBA macro, this activity replaces it with a DLL while retaining similar techniques, including (1) COM hijacking for execution, (2) DLL proxying, (3) XOR string encryption techniques, and (4) Covenant Grunt and its shellcode loader embedded in a PNG via steganography.”
The disclosure aligns with a separate advisory issued by the Computer Emergency Response Team of Ukraine (CERT-UA), which also warned of APT28’s exploitation of CVE-2026-21509. CERT-UA reported that Word documents were used to target more than 60 email addresses associated with central executive authorities in Ukraine. Metadata analysis showed that at least one lure document was created on January 27, 2026.
“During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut file name containing program code designed to download and run an executable file,” CERT-UA said.
This process ultimately triggers the same PixyNetLoader attack chain, resulting in the deployment of the Covenant framework’s Grunt implant.
Microsoft addressed CVE-2026-21509 on January 26, warning customers that the flaw had been exploited as a zero-day and urging immediate patching. The company initially credited its internal security researchers for discovering the vulnerability, later updating its advisory to also acknowledge the Google Threat Intelligence Group. Neither Microsoft nor GTIG has released public details on the initial zero-day exploitation.
While the identity of the original zero-day operator remains unknown, researchers say APT28 moved quickly to weaponize the vulnerability after its disclosure. APT28, also tracked as Forest Blizzard, Sofacy, Fancy Bear, and GruesomeLarch, is known for rapidly integrating newly disclosed flaws into its cyberespionage operations.
CVE-2026-21509 can be exploited by persuading users to open specially crafted Microsoft Office files, reinforcing the continued effectiveness of document-based lures in advanced persistent threat campaigns.
