APT28 quickly weaponized the Microsoft Office vulnerability CVE-2026-21509 to breach European military and government targets within 24 hours of disclosure. The attackers used convincing spear-phishing lures, fileless execution via OLE/WebDAV, and cloud-based C2 on filen.io to deploy implants including BeardShell and the email-stealing NotDoor. #APT28 #BeardShell
Keypoints
- APT28 exploited CVE-2026-21509 within 24 hours of public disclosure.
- Targets included defense ministries and logistics operators in Poland, Ukraine, and other NATO-aligned nations.
- A 72-hour spear-phishing blitz used tailored lures about weapons smuggling and training invitations.
- The exploit leverages embedded OLE and WebDAV to fetch payloads without macros, enabling fileless execution.
- Attackers abused filen.io for C2 and deployed BeardShell and NotDoor to exfiltrate emails and maintain stealth.
Read More: https://securityonline.info/apt28-weaponizes-office-flaw-to-spy-on-nato-military/