APT28 exploits Microsoft Office flaw in Operation Neusploit

Russia-linked APT28 is behind Operation Neusploit, exploiting a newly disclosed Microsoft Office vulnerability in targeted attacks.

Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) is behind Operation Neusploit, a campaign that exploits a newly disclosed Microsoft Office vulnerability.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

In January 2026, Zscaler ThreatLabz uncovered the campaign Operation Neusploit targeting Central and Eastern Europe. Threat actors targeted the vulnerability CVE-2026-21509, they used weaponized RTF files and localized lures to deploy MiniDoor, PixyNetLoader, and Covenant Grunt implants.

On January 26, Microsoft released out-of-band security updates to address an actively exploited Office zero-day vulnerability tracked as CVE-2026-21509. Zscaler reported in-the-wild exploitation on January 29, 2026.

The issue is a security feature bypass vulnerability that affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise.

“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.” reads the advisory that confirms that the issue is actively exploited in the wild. “An attacker must send a user a malicious Office file and convince them to open it.”

The update addresses a flaw that bypasses OLE security protections in Microsoft 365 and Office, exposing users to vulnerable COM/OLE controls.

Microsoft confirmed that the Office Preview Pane is not affected and cannot be used as an attack vector. However, the tech giant did not disclose technical details about the attacks exploiting this vulnerability.

“In January 2026, ThreatLabz identified APT28 weaponizing CVE-2026-21509 to target users in Central and Eastern Europe, including Ukraine, Slovakia, and Romania.” reads the report published by Zscaler. “Social engineering lures were crafted in both English and localized languages, (Romanian, Slovak and Ukrainian) to target the users in the respective countries.”

The researchers detailed two attack chains in Operation Neusploit, both starting with a weaponized RTF exploiting CVE‑2026‑21509. One path drops MiniDoor, a malicious Outlook VBA project that lowers macro security and quietly forwards victims’ emails to attacker-controlled addresses.

“MiniDoor’s primary goal is to steal the user’s emails and forward them to the threat actor.” reads the report.

The second, more complex chain deploys PixyNetLoader, which sets persistence via COM hijacking and scheduled tasks, then loads a fake EhStorShell.dll.

“Similar to the first dropper variant, after successful exploitation of CVE-2026-21509, the attack chain downloads a tool that ThreatLabz named PixyNetLoader, which drops malicious components on the endpoint and sets up the Windows environment to start the infection chain.” states the report.

This DLL extracts hidden shellcode from a PNG using steganography, evades sandboxes, and runs a .NET Covenant Grunt implant in memory, abusing legitimate APIs for command-and-control.

ThreatLabz links the campaign to Russia‑aligned APT28 with high confidence. The targets match APT28’s past focus on Central and Eastern Europe, using Romanian, Ukrainian, and English lures. The tools include MiniDoor, a simplified NotDoor variant tied to APT28, while the infrastructure reuses Filen API C2 seen in earlier APT28 operations. The PixyNetLoader chain also mirrors prior campaigns, combining COM hijacking, DLL proxying, XOR‑encrypted strings, and PNG‑embedded Covenant Grunt shellcode.

“This campaign by the Russia-linked group APT28 targeted countries in Central Europe and Eastern Europe with specially crafted RTF files that exploit CVE-2026-21509, resulting in the deployment of MiniDoor and PixyNetLoader.” concludes the report. “ThreatLabz research highlights that APT28 continues to evolve its TTPs by weaponizing the latest vulnerabilities in popular and widely used applications such as Microsoft Office.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)