Russia’s APT28 (Fancy Bear) weaponized the Microsoft Office zero-day CVE-2026-21509 within one day of Microsoft’s public disclosure, targeting users in Ukraine, Slovakia, and Romania. Zscaler ThreatLabz is tracking the campaign as Operation Neusploit.
Campaign overview
| Attribute | Details |
|---|---|
| Campaign name | Operation Neusploit |
| Threat actor | APT28 / Fancy Bear / UAC-0001 |
| Attribution | Russia’s GRU (Unit 26165) |
| Vulnerability | CVE-2026-21509 |
| Time to weaponization | <24 hours after disclosure |
| Targets | Ukraine, Slovakia, Romania, Poland, Slovenia, Turkey, Greece, UAE |
| Malware deployed | MiniDoor, NotDoor, PixyNetLoader, BEARDSHELL, Covenant Grunt |
| Discovery | Zscaler ThreatLabz, CERT-UA, Trellix |
Timeline
| Date | Event |
|---|---|
| January 26, 2026 | Microsoft releases out-of-band patch for CVE-2026-21509 |
| January 27, 2026 | CISA adds CVE-2026-21509 to KEV catalog |
| January 27, 2026 | CERT-UA detects exploitation attempts (1 day after disclosure) |
| January 29, 2026 | Zscaler observes active exploitation in the wild |
| February 2026 | CERT-UA confirms 60+ targeted email addresses in Ukraine |
| February 3, 2026 | Zscaler publishes Operation Neusploit analysis |
| February 4, 2026 | Trellix publishes expanded analysis with new malware families |
The one-day window between patch release and observed exploitation demonstrates APT28’s capability to rapidly weaponize disclosed vulnerabilities.
CVE-2026-21509
| Field | Value |
|---|---|
| CVE | CVE-2026-21509 |
| CVSS | 7.8 (High) |
| Type | Security Feature Bypass |
| Root cause | Reliance on untrusted inputs in security decision |
| Impact | OLE mitigation circumvention |
| CISA KEV | Added January 27, 2026 |
| KEV Deadline | February 16, 2026 |
The vulnerability allows attackers to bypass OLE (Object Linking and Embedding) mitigations in Microsoft Office. When a victim opens a specially crafted document, the protections that should block malicious embedded content are circumvented.
Technical mechanism
| Step | Action |
|---|---|
| 1 | Victim receives malicious RTF document |
| 2 | Document contains crafted OLE object |
| 3 | Office security mitigations bypassed |
| 4 | Embedded malicious content executes |
| 5 | Dropper DLL downloaded from attacker server |
Target profile
Initial targets (Zscaler/CERT-UA)
| Target type | Details |
|---|---|
| Ukrainian central executive authorities | 60+ email addresses confirmed by CERT-UA |
| EU policy organizations | COREPER-themed lures |
| Slovak government | Localized documents |
| Romanian officials | Government correspondence themes |
COREPER (Committee of Permanent Representatives) is the EU body that prepares European Council meetings—a high-value target for Russian intelligence.
Expanded targeting (Trellix - February 4)
Trellix researchers observed APT28 expanding operations within 24 hours of the vulnerability’s public disclosure:
| Country | Sector |
|---|---|
| Poland | Military, government |
| Slovenia | Government |
| Turkey | Maritime, transport |
| Greece | Maritime, transport |
| UAE | Maritime, transport |
| Ukraine | Government, military |
The targeting of maritime and transport organizations across multiple countries suggests intelligence collection related to supply chains, logistics, and potentially military movements.
Social engineering lures
Documents were localized for specific targets:
| Language | Example lure | Target audience |
|---|---|---|
| Ukrainian | Military-themed documents | Defense officials |
| Romanian | Government correspondence | Government staff |
| Slovak | EU-related content | Policy officials |
| English | ”Consultation_Topics_Ukraine(Final).doc” | EU policy staff |
Attack chains
Zscaler identified two variants of the attack chain:
Variant 1: MiniDoor
| Phase | Action |
|---|---|
| 1 | Victim receives RTF file exploiting CVE-2026-21509 |
| 2 | Successful exploitation downloads dropper DLL |
| 3 | Dropper installs MiniDoor |
| 4 | MiniDoor monitors Outlook for email theft |
Variant 2: PixyNetLoader
| Phase | Action |
|---|---|
| 1 | Same initial RTF exploit |
| 2 | Dropper installs PixyNetLoader |
| 3 | PixyNetLoader establishes persistence |
| 4 | Deploys Covenant Grunt implant for C2 |
Malware analysis
MiniDoor
MiniDoor is a simplified version of NotDoor (aka GONEPOSTAL), previously attributed to APT28 by Lab52 researchers in September 2025.
| Attribute | Details |
|---|---|
| Type | Outlook VBA-based email stealer |
| Persistence | Malicious Outlook VBA project |
| Trigger | Monitors MAPILogonComplete event |
| Target folders | Inbox, RssFeeds, Junk, Drafts |
Capabilities:
| Function | Action |
|---|---|
| Email monitoring | Watches for new messages |
| Email forwarding | Sends discovered emails to two hardcoded attacker addresses |
| Evidence deletion | Sets DeleteAfterSubmit to prevent Sent folder copies |
| Stealth | No persistent network access required |
The malware provides APT28 with access to victims’ email communications without requiring continuous C2 connectivity.
NotDoor (GONEPOSTAL) - Trellix analysis
Trellix’s February 4 report provided additional details on NotDoor, the full-featured Outlook VBA backdoor:
| Attribute | Details |
|---|---|
| Also known as | GONEPOSTAL |
| First documented | Lab52, September 2025 |
| Type | Outlook VBA backdoor |
| Function | Full backdoor vs. MiniDoor’s stripped-down stealing |
BEARDSHELL - New implant
Trellix documented a previously unreported custom implant:
| Attribute | Details |
|---|---|
| Name | BEARDSHELL |
| Language | C++ |
| Type | Custom implant |
| C2 | Filen.io cloud storage API |
| Purpose | Persistent access, command execution |
The use of filen.io as C2 infrastructure allows malicious traffic to blend with normal cloud storage usage, complicating network-based detection.
PixyNetLoader
PixyNetLoader is a previously undocumented tool that establishes persistence and deploys additional components:
| Attribute | Details |
|---|---|
| Decryption | 71-byte rolling XOR key for embedded payloads |
| Files dropped | SplashScreen.png, EhStoreShell.dll, office.xml |
| Persistence | Registry-based |
| C2 | Filen API (matches Operation Phantom Net Voxel tactics) |
EhStoreShell.dll
| Technique | Purpose |
|---|---|
| Export proxying | Mimics legitimate DLL |
| Sleep() checks | Evades sandbox analysis |
| Process validation | Detects analysis environments |
| LSB steganography | Extracts shellcode from PNG pixels |
Covenant Grunt
The final payload is a Covenant Grunt implant providing full command-and-control capabilities.
Evasion techniques
APT28 employed multiple evasion layers:
| Technique | Purpose |
|---|---|
| Server-side geofencing | Only delivers payloads to targeted regions |
| User-Agent validation | Rejects requests without correct headers |
| Mutexes | Prevents multiple instances |
| Dynamic API hashing (DJB2) | Evades static analysis |
| Time-based checks | Detects sandbox environments |
| PNG steganography | Hides shellcode in image files |
The geofencing ensures that security researchers outside target regions receive benign responses when analyzing the infrastructure.
Multi-layered evasion (Trellix)
Trellix noted the sophistication of the overall attack chain:
“The entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts.”
| Layer | Technique |
|---|---|
| Delivery | Encrypted RTF documents |
| C2 | Legitimate cloud storage (filen.io) |
| Execution | In-memory payloads |
| Persistence | Process injection |
| Forensics | Minimal disk artifacts |
This multi-layered approach demonstrates APT28’s evolved tradecraft in maintaining persistent access while evading detection across enterprise environments.
Attribution
CERT-UA attributes the campaign to UAC-0001, their designation for APT28.
Attribution evidence
| Evidence | Details |
|---|---|
| TTP overlap | Matches documented APT28 operations |
| Filen API C2 | Same technique used in Operation Phantom Net Voxel (Sekoia, September 2025) |
| MiniDoor code | Similarities with NotDoor |
| Target selection | Consistent with Russian strategic interests |
| Rapid weaponization | Capability signature of APT28 |
APT28 background
| Attribute | Details |
|---|---|
| Also known as | Fancy Bear, Forest Blizzard, Sofacy, UAC-0001 |
| Affiliation | Russia’s GRU Military Intelligence (Unit 26165) |
| Active since | At least 2004 |
| Primary targets | NATO countries, Ukraine, defense sector |
Detection
Zscaler signatures
| Detection | Description |
|---|---|
RTF.Exploit.CVE-2026-21509 | Exploit document detection |
Win32.Spyware.MiniDoor | MiniDoor malware |
Indicators to monitor
| Indicator | Meaning |
|---|---|
| RTF documents with OLE objects from external sources | Potential exploitation |
| Outlook macro activity on user systems | MiniDoor activity |
| Connections to Filen API from corporate networks | PixyNetLoader C2 |
| Email forwarding rules to unknown external addresses | Email theft |
| PNG files with unusual entropy | Steganography payload |
Recommendations
Immediate actions
| Priority | Action |
|---|---|
| Critical | Apply Microsoft’s January 26 security update |
| Critical | Block RTF files from external sources at email gateways |
| High | Enable Protected View for all Office documents |
| High | Monitor Outlook for suspicious macro activity |
| High | Implement network segmentation |
Patch verification
| Office version | Fix method |
|---|---|
| Microsoft 365 / Office 2021+ / LTSC | Service-side change (restart Office apps) |
| Office 2016 | Update to 16.0.5539.1001+ |
| Office 2019 | Update to 16.0.10417.20095+ |
For organizations in target regions
| Priority | Action |
|---|---|
| Critical | Conduct proactive threat hunting for Operation Neusploit IOCs |
| High | Brief staff on EU/military-themed phishing |
| High | Monitor for unexpected email forwarding rules |
| Medium | Review Outlook VBA project configurations |
| Ongoing | Coordinate with national CERTs |
Context
Operation Neusploit demonstrates APT28’s operational agility—weaponizing a disclosed vulnerability within 24 hours of Microsoft’s patch release. Organizations in Ukraine, Slovakia, and Romania should assume they may be targeted and conduct proactive threat hunting.
The campaign’s focus on email theft via MiniDoor reflects APT28’s intelligence collection priorities. Email access provides visibility into communications, relationships, and decision-making processes without requiring persistent network presence.
The combination of rapid vulnerability exploitation, sophisticated evasion techniques, and targeted social engineering makes Operation Neusploit a representative example of Russian state-sponsored cyber operations against NATO-adjacent countries.