Russian APT28 Exploits Microsoft Office Flaw in Neusploit Campaign, Targeting Ukraine and Eastern Europe

In a sophisticated cyberattack campaign that underscores the escalating digital warfare between Russia and Ukraine, the notorious state-sponsored hacking group APT28—also known as Fancy Bear or UAC-0001—has been linked to a series of attacks exploiting a newly discovered Microsoft Office vulnerability. Dubbed Operation Neusploit, this campaign leverages CVE-2026-21509, a critical security flaw in Microsoft Office that allows attackers to bypass security features and execute malicious code through specially crafted Office files.

The discovery, detailed by cybersecurity researchers at Zscaler ThreatLabz, reveals that APT28 began weaponizing the vulnerability on January 29, 2026—just three days after Microsoft publicly disclosed the flaw. The attacks have primarily targeted users in Ukraine, Slovakia, and Romania, employing highly localized social engineering tactics to maximize their impact.

A Multi-Pronged Attack Strategy

The Neusploit campaign employs two distinct attack chains, each designed to achieve specific objectives:

MiniDoor: The Email Stealer

The first attack vector involves a dropper that delivers MiniDoor, a C++-based DLL designed to steal emails from Outlook users. MiniDoor targets emails in critical folders such as Inbox, Junk, and Drafts, exfiltrating the stolen data to two hard-coded email addresses controlled by the attackers: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me.

Security researchers have identified MiniDoor as a stripped-down version of NotDoor (also known as GONEPOSTAL), a more sophisticated Outlook email stealer that was documented by S2 Grupo LAB52 in September 2025. This evolution suggests that APT28 is continuously refining its tools to maximize efficiency while minimizing detection.

PixyNetLoader: The Covenant Grunt Implant

The second attack chain, facilitated by PixyNetLoader, is far more elaborate and represents a significant escalation in APT28’s capabilities. This dropper initiates a complex attack sequence that includes:

• COM Object Hijacking: Leveraging Microsoft Teams and other legitimate Windows components to establish persistence on infected systems
• DLL Proxying: Using legitimate DLL files to mask malicious activity
• Steganography: Concealing shellcode within PNG images to evade detection
• Covenant Framework Deployment: Installing a Grunt implant associated with the open-source .NET Covenant command-and-control (C2) framework

The attack begins when a victim opens a malicious RTF file, which exploits CVE-2026-21509 to execute the PixyNetLoader. The loader then extracts two embedded payloads: a shellcode loader named “EhStoreShell.dll” and a PNG image titled “SplashScreen.png.”

The shellcode loader employs sophisticated anti-analysis techniques, activating its malicious payload only when specific conditions are met—namely, when the infected machine is not a virtual analysis environment and when the host process is “explorer.exe.” This ensures that the malware remains dormant in sandbox environments, significantly complicating detection efforts.

Once activated, the shellcode parses and executes shellcode concealed within the PNG image using steganographic techniques. This shellcode ultimately loads a .NET assembly that serves as the Covenant Grunt implant, providing APT28 with persistent remote access to compromised systems.

Technical Sophistication and Regional Targeting

What makes Operation Neusploit particularly concerning is its technical sophistication and precise targeting. Zscaler ThreatLabz noted that the attack chains share notable overlap with APT28’s previous operations, particularly Operation Phantom Net Voxel, which was documented by Sekoia in September 2025.

However, Neusploit represents an evolution of these tactics, replacing VBA macros with DLL-based delivery while retaining core techniques such as COM hijacking, DLL proxying, and steganographic payload delivery. This adaptation demonstrates APT28’s ability to evolve its methods in response to improved security measures and detection capabilities.

The campaign’s regional focus on Ukraine, Slovakia, and Romania aligns with broader geopolitical tensions and suggests that APT28 is continuing its long-standing pattern of targeting Eastern European nations. The use of localized content in multiple languages—English, Romanian, Slovak, and Ukrainian—indicates a high level of operational sophistication and cultural awareness.

CERT-UA Confirms Widespread Impact

The disclosure of Operation Neusploit coincides with a warning from the Computer Emergency Response Team of Ukraine (CERT-UA), which reported that APT28 had exploited CVE-2026-21509 to target more than 60 email addresses associated with central executive authorities in Ukraine.

According to CERT-UA’s investigation, opening the malicious documents using Microsoft Office establishes a network connection to an external resource via the WebDAV protocol, followed by the download of a file containing program code designed to download and execute additional malicious components. This attack chain ultimately results in the deployment of the Covenant framework’s Grunt implant, identical to the payload delivered through PixyNetLoader.

Metadata analysis of the lure documents reveals that at least one was created on January 27, 2026—just two days before Microsoft’s public disclosure of the vulnerability—suggesting that APT28 may have had prior knowledge of the flaw or was able to rapidly develop exploits following the disclosure.

Implications for Cybersecurity

The emergence of Operation Neusploit highlights several critical concerns for cybersecurity professionals and organizations:

1. Zero-Day Exploitation Window: The rapid weaponization of CVE-2026-21509 demonstrates the extremely narrow window between vulnerability disclosure and active exploitation by sophisticated threat actors.

2. Supply Chain Risks: The exploitation of Microsoft Office, a ubiquitous productivity suite, underscores the potential for widespread impact when critical vulnerabilities are discovered in widely deployed software.

3. Evasion Techniques: APT28’s use of anti-analysis measures, steganography, and legitimate Windows components highlights the increasing sophistication of evasion techniques employed by state-sponsored actors.

4. Geopolitical Cyber Warfare: The campaign reinforces the role of cyber operations as a key component of modern geopolitical conflict, particularly in the context of the ongoing Russia-Ukraine conflict.

Protection and Mitigation

Organizations are strongly advised to apply the security patches released by Microsoft for CVE-2026-21509 immediately. Additionally, security teams should implement the following measures:

• Email Filtering: Deploy advanced email security solutions capable of detecting and blocking malicious Office documents
• Endpoint Protection: Ensure that endpoint detection and response (EDR) solutions are configured to identify suspicious DLL activity and COM object hijacking
• User Training: Educate users about the risks of opening unexpected email attachments, particularly those in RTF format
• Network Monitoring: Implement network traffic analysis to detect unusual WebDAV connections and data exfiltration attempts

Conclusion

Operation Neusploit represents a significant escalation in APT28’s cyber operations, combining technical sophistication with precise geopolitical targeting. As state-sponsored threat actors continue to evolve their tactics and exploit newly discovered vulnerabilities, organizations must remain vigilant and proactive in their cybersecurity defenses.

The rapid weaponization of CVE-2026-21509 serves as a stark reminder that in today’s threat landscape, the window between vulnerability disclosure and exploitation is measured in days, not weeks or months. For organizations operating in or connected to Eastern Europe, the heightened risk posed by APT28’s activities demands immediate attention and robust defensive measures.

Tags:

APT28, Fancy Bear, Russian hackers, Microsoft Office vulnerability, CVE-2026-21509, Operation Neusploit, cybersecurity threat, state-sponsored hacking, Ukraine cyberattack, Eastern Europe security, Covenant framework, email stealer, COM hijacking, steganography, zero-day exploit, geopolitical cyber warfare, advanced persistent threat, digital espionage, cyber defense, threat intelligence

Viral Sentences:

• “Russian hackers strike within days of Microsoft’s vulnerability disclosure”
• “APT28’s Neusploit campaign targets Ukraine’s government with sophisticated Office exploit”
• “State-sponsored actors weaponize zero-day flaw before organizations can patch”
• “Email stealer MiniDoor exfiltrates sensitive communications to Russian-controlled servers”
• “Steganographic PNG images hide malicious shellcode from security detection”
• “COM object hijacking allows hackers to persist on infected systems undetected”
• “Eastern European nations face escalating cyber threats from Russian APT groups”
• “Microsoft Office vulnerability becomes weapon of choice in geopolitical cyber conflict”
• “CERT-UA warns of widespread targeting of Ukrainian government email addresses”
• “Advanced evasion techniques make APT28’s malware nearly invisible to traditional security”
• “Zero-day exploitation window shrinks to just 72 hours in modern cyber warfare”
• “Russian hackers evolve tactics from VBA macros to sophisticated DLL-based attacks”
• “Geopolitical tensions manifest in increasingly aggressive cyber operations against Ukraine”
• “Organizations must patch immediately as APT28 actively exploits Microsoft Office flaw”
• “State-sponsored cyber operations demonstrate technical sophistication rivaling nation-state capabilities”

,