Ukraine’s Laptop Emergency Response Group (CERT) says that Russian hackers are exploiting CVE-2026-21509, a not too long ago patched vulnerability in a number of variations of Microsoft Workplace.
On January 26, Microsoft launched an emergency out-of-band security replace marking CVE-2026-21509 as an actively exploited zero-day flaw.
CERT-UA detected the distribution of malicious DOC information exploiting the flaw, themed round EU COREPER consultations in Ukraine, simply three days after Microsoft’s alert.
In different instances, the emails impersonated the Ukrainian Hydrometeorological Heart and had been despatched to over 60 government-related addresses.
Nonetheless, the company says that the metadata related to the doc exhibits that it was created in the future after the emergency replace.
The Ukrainian CERT attributed these assaults to APT28, a nation-state risk actor often known as Fancy Bear and Sofacy and related to Russia’s Basic Workers Essential Intelligence Directorate (GRU).
Opening the malicious doc triggers a WebDAV-based obtain chain that installs malware by way of COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in a picture file (SplashScreen.png), and a scheduled job (OneDriveHealth).
Supply: CERT-UA
“The scheduled job execution results in termination and restart of the explorer.exe course of, which, amongst different issues, because of COM hijacking, ensures loading of the “EhStoreShell.dll” file,” CERT-UA says within the report.
“This DLL executes shellcode from the picture file, which in flip ensures the launch on the pc of the COVENANT software program (framework).”
This is similar malware loader CERT-UA linked to APT28 assaults in June 2025, which exploited Sign chats to ship the BeardShell and SlimAgent malware to authorities organizations in Ukraine.
The company stories that COVENANT makes use of the Filen (filen.io) cloud storage service for command-and-control (C2) operations. Monitoring for connections related to the platform, or blocking them fully, ought to enhance the protection in opposition to this risk.
Subsequent investigations revealed that APT28 used three extra paperwork in assaults in opposition to varied EU-based organizations, indicating that the marketing campaign extends past Ukraine. In a single noticed case, the domains supporting the assaults had been registered on the identical day.
Organizations are beneficial to use the most recent security replace on Microsoft Workplace 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. For Workplace 2021 and later, guarantee customers restart functions to permit the updates to be utilized.
If rapid patching is inconceivable, it’s endorsed to implement the registry-based mitigation directions in our unique protection of the flaw.
Microsoft beforehand acknowledged that Defender’s Protected View provides an additional layer of protection by blocking malicious Workplace information originating from the Web except explicitly trusted.
Trendy IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, find out how your staff can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on high of instruments you already use.
