The Russia-linked state-sponsored menace actor generally known as APT28 (aka UAC-0001) has been attributed to assaults exploiting a newly disclosed security flaw in Microsoft Workplace as a part of a marketing campaign codenamed Operation Neusploit.
Zscaler ThreatLabz mentioned it noticed the hacking group weaponizing the shortcoming on January 29, 2026, in assaults concentrating on customers in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug.
The vulnerability in query is CVE-2026-21509 (CVSS rating: 7.8), a security function bypass in Microsoft Workplace that might enable an unauthorized attacker to ship a specifically crafted Workplace file and set off it.
“Social engineering lures had been crafted in each English and localized languages (Romanian, Slovak, and Ukrainian) to focus on the customers within the respective international locations,” security researchers Sudeep Singh and Roy Tay mentioned. “The menace actor employed server-side evasion strategies, responding with the malicious DLL solely when requests originated from the focused geographic area and included the proper Consumer-Agent HTTP header.”
The assault chains, in a nutshell, entail the exploitation of the security gap by way of a malicious RTF file to ship two completely different variations of a dropper, one which’s designed to drop an Outlook electronic mail stealer referred to as MiniDoor, and one other, known as PixyNetLoader, that is answerable for the deployment of a Covenant Grunt implant.
The primary dropper acts as a pathway for serving MiniDoor, a C++-based DLL file that steals a person’s emails in varied folders (Inbox, Junk, and Drafts) and forwards them to 2 hard-coded menace actor electronic mail addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is assessed to be a stripped-down model of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025.
In distinction, the second dropper, i.e., PixyNetLoader, is used to provoke a way more elaborate assault chain that includes delivering further parts embedded into it and establishing persistence on the host utilizing COM object hijacking. Among the many extracted payloads are a shellcode loader (“EhStoreShell.dll”) and a PNG picture (“SplashScreen.png”).
The first accountability of the loader is to parse shellcode hid utilizing steganography throughout the picture and execute it. That mentioned, the loader solely prompts its malicious logic if the contaminated machine just isn’t an evaluation setting and when the host course of that launched the DLL is “explorer.exe.” The malware stays dormant if the situations aren’t met.
The extracted shellcode, in the end, is used to load an embedded .NET meeting, which is nothing however a Grunt implant related to the open supply .NET COVENANT command-and-control (C2) framework. It is price noting that APT28’s use of the Grunt Stager was highlighted by Sekoia in September 2025 in reference to a marketing campaign named Operation Phantom Internet Voxel.
“The PixyNetLoader an infection chain shares notable overlap with Operation Phantom Internet Voxel,” Zscaler mentioned. “Though the sooner marketing campaign used a VBA macro, this exercise replaces it with a DLL whereas retaining related strategies, together with (1) COM hijacking for execution, (2) DLL proxying, (3) XOR string encryption strategies, and (4) Covenant Grunt and its shellcode loader embedded in a PNG by way of steganography.”
The disclosure coincides with a report from the Pc Emergency Response Staff of Ukraine (CERT-UA) that additionally warned of APT28’s abuse of CVE-2026-21509 utilizing Phrase paperwork to focus on greater than 60 electronic mail addresses related to central government authorities within the nation. Metadata evaluation reveals that one of many lure paperwork was created on January 27, 2026.
“In the course of the investigation, it was discovered that opening the doc utilizing Microsoft Workplace results in establishing a community connection to an exterior useful resource utilizing the WebDAV protocol, adopted by downloading a file with a shortcut file title containing program code designed to obtain and run an executable file,” CERT-UA mentioned.
This, in flip, triggers an assault chain that is an identical to PixyNetLoader, ensuing within the deployment of the COVENANT framework’s Grunt implant.
