Researchers tracked a concentrated 72-hour APT28 spearphishing campaign that exploited the newly disclosed Microsoft Office vulnerability CVE-2026-21509 to compromise government and public-sector targets across Eastern Europe and beyond. The campaign delivered malicious Office documents that auto-executed, deploying MiniDoor, PixyNetLoader and a Covenant backdoor while abusing Filen cloud storage for command-and-control. #APT28 #CVE-2026-21509
Keypoints
- State-linked APT28 (Fancy Bear) conducted a multi-country espionage campaign against government and public-sector organizations.
- Attackers exploited CVE-2026-21509 in Microsoft Office using weaponized documents that executed without user interaction.
- Phishing emails were sent from compromised government accounts and used geopolitical lures to appear legitimate.
- Payloads included MiniDoor for email theft, PixyNetLoader, and a Covenant backdoor, with Filen used as a C2 channel.
- Researchers at Trellix, along with CERT-UA and Zscaler, linked the activity to APT28 and noted rapid exploitation of newly disclosed Office flaws.
Read More: https://therecord.media/russian-hackers-microsoft-office-europe