Ukraine’s cyber defenders say Russian state-sponsored APT28 weaponized a Microsoft Office zero-day (CVE-2026-21509) and launched targeted attacks against Ukrainian government agencies and European institutions within 24 hours of public disclosure. Malicious documents exploited the flaw to deploy a multi-stage chain that drops EhStoreShell.dll and SplashScreen.png, uses COM hijacking and a scheduled “OneDriveHealth” task to load the Covenant framework with Filen.io as C2, prompting CERT-UA and Microsoft to urge immediate patching and mitigations. #CVE-2026-21509 #APT28
Keypoints
- APT28 exploited Microsoft Office zero-day CVE-2026-21509 within 24 hours of public disclosure to target Ukrainian and EU institutions.
- Malicious DOC files, including “Consultation_Topics_Ukraine(Final).doc” and “BULLETEN_H.doc,” were used as initial bait in the campaign.
- The exploit chain uses WebDAV to download a shortcut, then drops EhStoreShell.dll and SplashScreen.png and abuses COM hijacking and a scheduled “OneDriveHealth” task to achieve persistence.
- Attackers deployed the Covenant post-exploitation framework and used Filen.io cloud storage as command-and-control to blend malicious traffic with legitimate services.
- CERT-UA and Microsoft recommended immediate patching, registry mitigations, and blocking or monitoring Filen.io-related domains and IPs to reduce exposure.
Read More: https://thecyberexpress.com/russian-apt28-exploit-zero-day-cve-2026-21509/