Ukraine’s Computer Emergency Response Team has warned that Russian state-linked hackers are actively exploiting a recently patched zero-day vulnerability in Microsoft Office to target government and institutional users.
The flaw, tracked as CVE-2026-21509, was addressed by Microsoft through an emergency out-of-band security update released on January 26, after the company confirmed the vulnerability was being exploited in the wild. Just three days later, CERT-UA detected malicious Word documents abusing the flaw in phishing campaigns linked to Russian cyber-espionage activity.
According to the agency, some of the malicious documents were themed around EU COREPER consultations related to Ukraine, while others impersonated the Ukrainian Hydrometeorological Center. These emails were sent to more than 60 government-related addresses. Investigators noted that metadata from at least one document showed it was created after Microsoft had already released the emergency patch, suggesting rapid adaptation by the attackers.
CERT-UA attributed the campaign to APT28, also known as Fancy Bear or Sofacy, a group associated with Russia’s military intelligence agency, the GRU. Opening the malicious documents triggered a complex infection chain that used WebDAV downloads, COM hijacking, a malicious DLL file, shellcode hidden inside an image, and a scheduled task to maintain persistence on infected systems.
The attack ultimately deployed the COVENANT malware framework, which CERT-UA has previously linked to APT28 operations. The same loader was used in attacks observed in June 2025, when Ukrainian government organizations were targeted through compromised Signal chats delivering BeardShell and SlimAgent malware.
Investigators also found that the malware used the Filen cloud storage service for command-and-control communication. CERT-UA advised organizations to monitor or block traffic associated with the service to reduce exposure to the threat.
Further analysis revealed that the campaign was not limited to Ukraine. APT28 reportedly used additional malicious documents to target organizations across the European Union, with some supporting domains registered on the same day, indicating coordinated activity.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
CERT-UA is urging organizations to immediately apply the latest security updates for Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. Users of Office 2021 and newer versions are also advised to restart applications to ensure updates are fully applied. Where patching is not immediately possible, registry-based mitigation measures are recommended. Microsoft has also noted that Defender’s Protected View can help block malicious Office files downloaded from the internet unless they are explicitly trusted.
