Russian state-sponsored hackers are actively exploiting a recently patched vulnerability in Microsoft Office, compromising systems across diplomatic, maritime, and transport organizations in more than half a dozen countries. The attacks, attributed to the threat group known as APT28 (also tracked as Fancy Bear, Sednit, Forest Blizzard, and Sofacy), began within 48 hours of Microsoft releasing an emergency security update on .
The vulnerability, designated CVE-2026-21509, is a security feature bypass within Microsoft Office. Exploitation occurs when users open specially crafted Rich Text Format (RTF) documents. These documents bypass traditional security prompts, allowing malicious code to execute without raising immediate suspicion. Researchers at Trellix observed the group rapidly reverse-engineer the patch and develop an advanced exploit capable of installing two previously unknown backdoor implants.
A Stealthy and Targeted Campaign
What distinguishes this campaign is its focus on stealth and precision. The exploit and payloads are encrypted and designed to run in memory, making detection by standard endpoint protection systems significantly more difficult. The attackers are leveraging previously compromised government accounts to deliver the malicious RTF documents, increasing the likelihood that targeted recipients will open them, believing them to be legitimate communications. Command and control channels are hosted on legitimate cloud services, often already allow-listed within sensitive networks, further obscuring malicious activity.
“The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems,” researchers at Trellix wrote. The entire infection chain, from the initial phishing email to the deployment of in-memory backdoors and secondary implants, is meticulously designed to evade detection.
Geographic Focus and Targeted Sectors
The 72-hour spear phishing campaign, which began on , involved at least 29 distinct email lures sent to organizations in nine countries. The primary targets are located in Central and Eastern Europe, with confirmed compromises in Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, and Bolivia. According to Trellix, approximately 40 percent of targeted organizations are defense ministries, 35 percent are transportation and logistics operators, and 25 percent are diplomatic entities.
Operation Neusploit, as identified by Zscaler researchers, begins with the opening of a malicious RTF document. This triggers the retrieval of a malicious Dynamic Link Library (DLL) from the attacker’s infrastructure. Server-side checks then determine which of two payloads – MiniDoor or another undisclosed implant – is delivered. MiniDoor is specifically designed to covertly steal and forward user emails from Outlook, providing the attackers with access to sensitive communications.
Implications and Response
The speed with which APT28 exploited this vulnerability underscores the ongoing threat posed by state-sponsored actors and the critical importance of rapid patching. While Microsoft released an out-of-band patch on , the attackers were observed actively exploiting the flaw just days later, on , according to reporting from Petri.com. This highlights the need for organizations to prioritize vulnerability management and implement robust endpoint detection and response (EDR) systems.
The use of legitimate cloud services for command and control further complicates defense efforts. Organizations must carefully monitor network traffic and implement strict access controls to mitigate the risk of compromise. Given the targeted nature of the attacks, organizations in the diplomatic, maritime, and transport sectors, particularly those in Eastern Europe, should be especially vigilant and review their security posture.
The attackers’ reliance on previously compromised government accounts as an initial infection vector suggests a broader reconnaissance and compromise phase preceding the exploitation of CVE-2026-21509. This highlights the importance of strong account security practices, including multi-factor authentication and regular password audits.
The sophistication of the attack chain, from the initial phishing email to the deployment of stealthy malware, demonstrates the advanced capabilities of APT28 and the persistent threat they pose to governments and organizations worldwide. Continued monitoring and analysis of their tactics, techniques, and procedures (TTPs) are essential for effective defense.
