Russia-linked attackers are reportedly utilizing a brand new Microsoft vulnerability as a part of a coordinated espionage and malware marketing campaign, Operation Neusploit.
The marketing campaign was noticed in January 2026 by Safety researchers at ZScaler ThreatLabz, three days after Microsoft issued an pressing patch for the flaw.
“On this marketing campaign, the risk actor leveraged specifically crafted Microsoft RTF recordsdata to take advantage of CVE-2026-21509 and ship malicious backdoors in a multi-stage an infection chain,” the researchers stated in a weblog put up. “ThreatLabz noticed lively in-the-wild exploitation on January 29, 2026.”
The marketing campaign focused customers in elements of Central and Jap Europe, together with Ukraine, Slovakia, and Romania, with customized social engineering lures. The crafted wealthy textual content format (RTF) recordsdata triggered the Workplace vulnerability the second they have been opened, initiating a multi-stage an infection chain resulting in backdoors and malware implants.
Owing to the numerous overlap between the instruments, methods, and procedures (TTPs) between the marketing campaign and people of Russia’s Normal Workers Most important Intelligence Directorate (GRU)-affiliated risk group APT28 (aka Fancy Bear), ZScaler attributed the marketing campaign to the superior persistent risk (APT) group.
Neusploit hooked customers by Workplace
Operation Neusploit depends closely on CVE-2026-21509, a high-severity bug in Microsoft Workplace that Microsoft patched on January 26 after studies of lively exploitation.
The an infection begins with victims receiving an e mail with an RTF attachment that accommodates a weaponized exploit. When opened, the RTF file causes Microsoft Workplace to execute code that reaches out to risk actor infrastructure and downloads a dropper DLL. The DLL then executes the remainder of the malicious chain.
“The risk actor employed server-side evasion methods, responding with the malicious DLL solely when requests originated from the focused geographic area and included the right Consumer-Agent HTTP header,” the researchers stated.
The marketing campaign used two totally different variants of the dropper DLL, deploying totally different parts for various functions.
One marketing campaign, two an infection paths
ZScaler discovered that exploitation of CVE-2026-21509 didn’t result in a single uniform payload. As an alternative, the preliminary RTF-based exploit branched into two distinct an infection paths, every serving a unique operational function. The selection of dropper reportedly decided whether or not the attackers prioritized near-term intelligence assortment or longer-term entry to compromised techniques.
In a single path, the exploit delivered MiniDoor, a light-weight DLL that targeted on e mail theft. The malware modified Home windows registry settings to weaken Microsoft Outlook security controls, permitting it to quietly accumulate and exfiltrate e mail information to an attacker-controlled infrastructure. The design and performance of MiniDoor intently resemble earlier APT28 tooling, aligning with the group’s established espionage-focused assaults.
The second path concerned a extra elaborate chain that started with PixyNetLoader, which deployed further payloads and established persistence utilizing methods comparable to DLL proxying and COM object hijacking. This loader in the end put in a Covenant Grunt implant, used particularly in .NET command and management (c2) framework, giving the attackers sustained distant entry by cloud-hosted C2 infrastructure.
Mitigation efforts
ZScaler really useful that organizations prioritize patching for CVE-2026-21509, noting that APT28 exploited the flaw inside days of Microsoft releasing fixes. Programs working unpatched variations of Microsoft Workplace stay uncovered to weaponized RTF paperwork that require little person interplay past opening the file, considerably elevating the chance of compromise in email-driven assault situations.
For defensive evaluation, ZScaler shared GitHub repositories, together with the Home windows scheduled job configuration file and the MiniDoor macro code, illustrating the assault paths utilized in Operation Neusploit. Moreover, the disclosure shared a listing of indicators of compromise (IOCs) to help detection efforts, which included file hashes, malicious domains, and URLs. CISA had added the flaw to its recognized exploited vulnerabilities (KEV) database, giving Federal Civilian Govt Department (FCEB) businesses till February 16 to patch their techniques.
