Threat Research

APT28 Leverages CVE-2026-21509 in Operation Neusploit

ZScaler

Zscaler ThreatLabz identified Operation Neusploit in January 2026, attributing the campaign to APT28 using specially crafted RTFs that exploit CVE-2026-21509 to deliver MiniDoor and PixyNetLoader/Covenant Grunt implants. The multi-stage chain used region-targeted server-side evasion, COM hijacking, steganography in a PNG, and scheduled tasks to achieve persistence and C2 via the Filen API. #APT28 #PixyNetLoader

Keypoints

  • Operation Neusploit used weaponized RTF files exploiting CVE-2026-21509 to gain initial access in Central and Eastern Europe (Ukraine, Slovakia, Romania).
  • Two dropper variants were observed: Variant 1 deploys MiniDoor (an Outlook VBA email stealer) and Variant 2 deploys PixyNetLoader leading to a Covenant Grunt implant.
  • Threat actor used server-side geofencing and User-Agent checks to serve malicious DLLs only to targeted regions and clients.
  • PixyNetLoader employs COM hijacking (EhStoreShell.dll), DLL proxying, scheduled tasks (OneDriveHealth), and PNG LSB steganography to load shellcode and a .NET Covenant Grunt implant in-memory.
  • MiniDoor installs a decrypted Outlook VBA project (VbaProject.OTM), downgrades Outlook macro security via registry changes, and forwards emails to hardcoded actor addresses.
  • Attribution to APT28 is supported by tooling overlap (MiniDoor ~ NotDoor), Filen API abuse for C2, and TTP similarities with prior APT28 campaigns.

MITRE Techniques

  • [T1566.001 ] Phishing: Spearphishing Attachment – Exploit RTFs were delivered as email attachments (‘Exploit RTFs were observed delivered as email attachments.’)
  • [T1203 ] Exploitation for Client Execution – Vulnerability CVE-2026-21509 was exploited to initiate the infection chain (‘CVE-2026-21509 was exploited to initiate the infection chain.’)
  • [T1106 ] Native API – Native APIs were used to execute the shellcode in Variant 2 (‘Native APIs were used to execute the shellcode for Variant 2.’)
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – A scheduled task (OneDriveHealth) was used to trigger the COM hijack and run the shellcode loader (‘A scheduled task was used for triggering the COM hijacking that runs the shellcode loader DLL.’)
  • [T1204.002 ] User Execution: Malicious File – Users had to open/execute the exploit RTF to start the infection (‘Users must execute the exploit RTF to start the infection chain.’)
  • [T1546.015 ] Event Triggered Execution: Component Object Model Hijacking – COM hijacking was used to load the malicious EhStorShell.dll into explorer.exe for persistence (‘COM hijacking is used for executing the Variant 2 shellcode loader DLL.’)
  • [T1137.006 ] Office Application Startup: Add-ins – A malicious Outlook VBA project (MiniDoor) loads on Outlook startup to collect and exfiltrate email (‘A malicious Outlook VBA project is executed on Outlook startup.’)
  • [T1140 ] Deobfuscate/Decode Files or Information – Shellcode and payloads are extracted/decoded from a PNG via steganography (‘Shellcode is encoded within PNG with steganography.’)
  • [T1480.002 ] Execution Guardrails: Mutual Exclusion – Mutexes were used to prevent multiple instances and control execution (‘Mutexes are used to prevent multiple instances of the malware from executing at the same time.’)
  • [T1027.007 ] Obfuscated Files or Information: Dynamic API Resolution – The Variant 2 shellcode loader resolves API names at runtime using DJB2 hashing (‘DJB2 hashing is used by the Variant 2 shellcode loader for API resolution.’)
  • [T1027.003 ] Obfuscated Files or Information: Steganography – Covenant and its loader shellcode are encoded in the PNG using LSB steganography (‘Covenant and its loader shellcode is encoded in the PNG with LSB steganography.’)
  • [T1497.003 ] Virtualization/Sandbox Evasion: Time Based Checks – The loader checks Sleep() timing to detect short-circuited sleeps used by sandboxes (‘The Variant 2 shellcode loader checks that Sleep API is not short-circuited as an anti-analysis/sandbox feature.’)
  • [T1114 ] Email Collection – MiniDoor forwards mailbox items to actor-controlled email addresses to exfiltrate email (‘A malicious Outlook VBA project sends newly received emails to hardcoded email addresses controlled by the threat actor.’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Covenant Grunt communicates over HTTPS for C2 traffic (‘Covenant Grunt uses HTTPS for C2 communication.’)
  • [T1102.002 ] Web Service: Bidirectional Communication – The Filen API service is abused as a C2 bridge between Covenant Grunt and the actor’s server-side listener (‘The Filen API service is abused to bridge communications between Covenant Grunt implant and the actual Covenant C2 server-side listener.’)

Indicators of Compromise

  • [File Hash ] RTF exploit samples – 95e59536455a089… (Consultation_Topics_Ukraine(Final).doc), 2f7b4dca1c79e525… (Courses.doc), and other hashes listed in the report.
  • [Filename ] dropped components and artifacts – EhStoreShell.dll (shellcode loader), SplashScreen.png (PNG containing embedded shellcode).
  • [Domain ] malicious infrastructure – freefoodaid[.]com, wellnesscaremed[.]com (domains hosting droppers and payloads).
  • [URL ] dropper hosting locations – hxxps://freefoodaid[.]com/documents/2_2.d (MiniDoor dropper), hxxps://freefoodaid[.]com/tables/tables.d (PixyNetLoader dropper).
  • [Email Address ] exfiltration targets – [email protected], [email protected] (addresses hardcoded in MiniDoor for forwarded emails).

Read more: https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit