The state-sponsored Russian threat group APT28, also known as UAC-0001, is actively exploiting a newly discovered Microsoft Office vulnerability to target government entities in Ukraine and Eastern Europe. This campaign, labeled Operation Neusploit, uses malicious documents and server-side evasion to deliver specialized malware like the MiniDoor email stealer and the Covenant Grunt implant.

Researchers recently identified APT28 weaponizing a security bypass flaw tracked as CVE-2026-21509 just days after its public disclosure. The group utilized social engineering tactics by creating lure documents in English, Romanian, Slovak, and Ukrainian to trick users into opening malicious files. To avoid detection by security researchers, the attackers used server-side filtering to ensure their malicious payloads were only delivered to specific geographic regions and valid user agents.

The technical core of the attack involves a malicious RTF file that exploits the Office vulnerability to launch one of two distinct dropper programs. The first dropper delivers MiniDoor, a specialized tool designed to infiltrate Outlook accounts and exfiltrate messages from the inbox, junk, and draft folders to external email addresses controlled by the hackers. This tool appears to be a streamlined version of a previously documented malware family, suggesting a continuous refinement of the group's digital toolkit.

The second dropper, known as PixyNetLoader, initiates a more complex infection process that utilizes sophisticated evasion and persistence techniques. It employs COM object hijacking to stay on the system and uses steganography to hide malicious shellcode within a standard PNG image file. To further frustrate analysis, the loader remains dormant unless it detects it is running within a standard Windows Explorer process on a genuine user machine rather than a virtualized sandbox.

Once the hidden shellcode is successfully parsed and executed from the image, it deploys a Grunt implant associated with the open-source Covenant command-and-control framework. This specific method of using steganography and the Covenant framework shows significant overlap with earlier APT28 operations, indicating that the group is modernizing older, successful strategies to work with new vulnerabilities. The use of DLL files in this campaign replaces the older reliance on VBA macros while maintaining the same underlying execution logic.

Ukrainian emergency response teams have confirmed these findings, reporting that the group targeted over 60 different government email addresses using these compromised Word documents. Their investigation showed that opening these files triggers a network connection via the WebDAV protocol to download additional code, which ultimately installs the same Grunt implant found in other regional attacks. This coordinated activity highlights the speed at which state-sponsored groups can weaponize new software bugs for geopolitical espionage.

Source: APT28 Uses Microsoft Office CVE 2026 21509 In Espionage Malware Attacks