Ukraine’s CERT warns that Russian-linked APT28 is actively exploiting CVE-2026-21509 in multiple Microsoft Office versions using malicious DOC attachments to deploy the COVENANT loader. The exploit chain leverages WebDAV downloads, COM hijacking with EhStoreShell.dll, shellcode embedded in an image, and a scheduled task, and defenders are advised to apply Microsoft’s out-of-band Office updates or registry mitigations and monitor/block Filen C2 traffic. #CVE-2026-21509 #APT28
Keypoints
- CERT-UA reports active exploitation of CVE-2026-21509 in multiple Microsoft Office versions.
- Attackers distributed malicious DOCs themed around EU COREPER consultations and impersonated the Ukrainian Hydrometeorological Center to target government addresses.
- Opening the document triggers a WebDAV download, COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode in SplashScreen.png, and a scheduled task (OneDriveHealth) that launches COVENANT.
- CERT-UA attributes the campaign to APT28 (Fancy Bear/Sofacy) and links COVENANT to previous APT28 activity from June 2025.
- Organizations should install Microsoft’s emergency Office updates, restart Office 2021+ apps to apply fixes, or use provided registry mitigations and monitor/block Filen cloud storage for C2 traffic.