A Russia-linked state-sponsored hacking group known as APT28, also tracked as UAC-0001, has been linked to a new cyber espionage campaign that abuses a recently disclosed Microsoft Office vulnerability. The operation, internally referred to as Operation Neusploit, leverages CVE-2026-21509 to deliver sophisticated malware payloads against targeted regions.
Exploitation Observed Shortly After Disclosure
According to Zscaler ThreatLabz, the threat actor began actively exploiting the Microsoft Office flaw on January 29, 2026, only three days after Microsoft publicly disclosed the vulnerability. The attacks primarily targeted users in Ukraine, Slovakia, and Romania, indicating a geographically focused espionage effort.
The security weakness, tracked as CVE-2026-21509 with a CVSS score of 7.8, is categorized as a security feature bypass. It allows attackers to distribute specially crafted Microsoft Office documents that can execute malicious content without proper authorization.
Targeted Social Engineering and Evasion Techniques
Researchers reported that APT28 crafted phishing lures in both English and regional languages, including Romanian, Slovak, and Ukrainian. These localized messages increased the likelihood of user interaction in the targeted countries.
In addition to language-based targeting, the attackers implemented server-side evasion mechanisms. Malicious payloads were only delivered when incoming requests originated from specific geographic locations and included the correct User-Agent HTTP headers, significantly reducing exposure to automated analysis systems.
Malicious RTF Files and Dual Dropper Strategy
The attack chain begins with a malicious Rich Text Format (RTF) file that exploits CVE-2026-21509. This file delivers one of two different droppers, depending on the campaign path.
The first dropper installs MiniDoor, a lightweight Outlook email-stealing malware written in C++. MiniDoor collects emails from folders such as Inbox, Junk, and Drafts, then forwards the stolen data to attacker-controlled email addresses. Analysts believe MiniDoor is a simplified variant of the previously documented NotDoor malware, also known as GONEPOSTAL.
PixyNetLoader and Advanced Persistence Mechanisms
The second dropper, identified as PixyNetLoader, initiates a more complex infection chain. This loader deploys multiple embedded components and establishes persistence on the compromised system using COM object hijacking.
Among the extracted components are a shellcode loader named EhStoreShell.dll and a PNG image file titled SplashScreen.png. The loader extracts hidden shellcode from the image using steganographic techniques and executes it only if specific conditions are met.
To avoid detection, the malware verifies that it is not running in an analysis environment and confirms that the initiating process is explorer.exe. If these conditions are not satisfied, the malicious logic remains inactive.
Deployment of Covenant Grunt Implant
The decoded shellcode ultimately loads a concealed .NET assembly that functions as a Grunt implant from the open-source COVENANT command-and-control framework. This implant provides attackers with remote control capabilities over infected systems.
Security researchers noted strong similarities between this infection chain and a previously observed campaign called Operation Phantom Net Voxel, which was documented in September 2025. While the earlier campaign relied on VBA macros, the current activity replaces them with DLL-based execution while maintaining similar techniques such as DLL proxying, XOR string encryption, and COM hijacking.
CERT-UA Confirms Broader Targeting in Ukraine
The findings align with a warning issued by the Computer Emergency Response Team of Ukraine (CERT-UA), which confirmed that APT28 used Word documents exploiting CVE-2026-21509 to target more than 60 email accounts linked to central government authorities.
Metadata analysis revealed that at least one malicious document was created on January 27, 2026. When opened, the file initiates a WebDAV connection to an external server, downloads a shortcut file, and executes embedded program code.
This sequence ultimately triggers the same PixyNetLoader infection chain, resulting in the deployment of the Covenant Grunt implant on the compromised system.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
