Main points
- The Russian hacking group APT28 exploited the CVE-2026-21509 vulnerability in Microsoft Office for espionage attacks on government structures in Europe.
- Hackers distributed phishing emails with malicious files that downloaded attack components and used sophisticated techniques such as XOR encryption and fileless loaders to hide their tracks.
Russian group APT28 launched a spy campaign through Microsoft Office documents / Collage 24 Channel/Depositphotos
In late January 2026, European government agencies faced a targeted cyber espionage campaign that unfolded with extraordinary speed.
The attacks were built around a new vulnerability in office software and disguised as official correspondence related to security and emergency events, Cyber Press writes.
How did the attack work?
The Russian state-sponsored hacking group APT28, also known as Fancy Bear, has conducted an active espionage operation against government and defense-related organizations in Poland, Slovenia, Turkey, Greece, the United Arab Emirates, and Ukraine.
The main entry point was the CVE-2026-21509 vulnerability in Microsoft Office, which allowed security mechanisms to be bypassed without the use of macros or any warnings to the user.
APT28 was able to integrate the exploit into its infrastructure less than 24 hours after the public disclosure of the issue on January 26, 2026. This allowed arbitrary code to be executed via OLE objects in RTF and DOC documents. The malicious files opened the way for the attack components to be downloaded from remote servers using WebDAV.
- Victims received phishing emails with attachments like “BULLETEN_H.doc”.
- After opening such a file, the system automatically loaded LNK shortcuts and the SimpleLoader library.
- This downloader used XOR encryption to covertly place files, including EhStoreShell.dll, known as BeardShell, as well as the SplashScreen.png image, in which the attackers hid the executable shell code.
- BeardShell conducted sandbox and analysis system checks, including through execution delays and checking active processes.
- Next, the malicious code parsed the PNG file using its own functions, working with headers, zlib compression, and interlacing, and then launched a fileless .NET loader by traversing PEB structures in memory.
The next stage of infection was a Covenant Grunt-type implant. For control, it used encrypted channels using RSA and AES and the filen.io cloud storage as a control server. Tasks came in the form of encrypted files, were processed exclusively in RAM, and allowed PowerShell scripts or .NET assemblies to be executed without leaving traces on the disk.
Microsoft Outlook also from the blow
A separate branch of the attack called NotDoor was deployed in parallel, targeting Microsoft Outlook. SimpleLoader modified registry settings, disabling macro protection, and deleted the VbaProject.OTM file in the %APPDATA%MicrosoftOutlook directory.
The macros were activated during login or when new emails were received and forwarded the contents of the Inbox, Drafts, Junk Mail, and RSS feeds to addresses controlled by the attackers, after which they destroyed their own traces.
To gain entry into the system, APT28 used a COM-capture of the CLSID in the explorer.exe process and a short-lived scheduler task called “OneDriveHealth”. After successful penetration, information gathering commands such as systeminfo and arp were executed, as well as code injection into the svchost.exe process.
What did the hackers manage to do?
According to CERT-UA, from January 28 to 30, 2026, 29 phishing emails were recorded, sent from hacked accounts in Romania, Bolivia, and Ukraine.
The decoys' themes mimicked reports of arms smuggling, military invitations, NATO consultations, and flood warnings. Some letters contained bilingual documents with official seals, which increased the recipients' trust.
CERT-UA links the campaign to the UAC-0001 cluster, pointing to similarities in the PNG decoder code and the use of cloud infrastructure for management.
Cybersecurity experts recommend immediately updating Microsoft Office, forcibly blocking macros, checking systems for indicators of compromise, and using antivirus solutions with up-to-date signatures, particularly to detect malicious documents.