APT28’s Exploitation of CVE-2026-21509

Operation Neusploit is an APT28-attributed cyber espionage campaign identified in January 2026 by Zscaler ThreatLabz. The operation leverages a zero-day vulnerability in Microsoft Office RTF handling (CVE-2026-21509) to deliver multi-stage malware payloads. Targets are primarily located in Central and Eastern Europe, with localized social engineering lures used to increase success. The campaign demonstrates advanced tradecraft, including steganography, COM hijacking, and abuse of legitimate cloud APIs for command-and-control (C2).

Severity: High

Initial Access & Exploitation

• The campaign begins with spearphishing emails containing malicious RTF attachments.
• When opened, these RTF files exploit CVE-2026-21509, a Microsoft Office client-side vulnerability that enables arbitrary code execution.
• Exploitation triggers a downloader that retrieves a malicious DLL from attacker-controlled infrastructure.
• The attackers further enhanced success rates by localizing lure documents in Ukrainian, Romanian, and Slovak, aligning with victim geography.

Variant 1: Minidoor (Email Stealer)

• Mechanism: Drops a 64-bit DLL that installs a malicious Outlook VBA project called MiniDoor.
• Goal: To steal and forward user emails to threat actor-controlled addresses (ahmeclaw2002[@]outlook[.]com and ahmeclaw[@]proton[.]me).
• Persistence: Modifies Windows registry keys to downgrade Outlook security, allowing the macro to load automatically on startup.
• Evasion: Sets a “Delete After Submit” property to ensure no trace of forwarded emails remains in the “Sent” folder.

Variant 2: Pixynetloader (Backdoor)

• Mechanism: Deploys PixyNetLoader, a previously undocumented dropper that facilitates a multi-stage infection.
• Payload Delivery: Uses steganography to hide malicious shellcode within a PNG image (SplashScreen.png).
• Final Implant: Executes a Covenant Grunt implant, which uses the Filen API as a command-and-control (C2) bridge to receive tasks from attackers.
• Evasion Techniques:
  • COM Hijacking: Exploits EhStoreShell.dll to ensure the loader runs whenever explorer.exe starts.
  • Anti-Sandbox: Performs a time-based check on the Sleep() API to detect if it is running in a virtualized analysis environment.

Evasion & Anti-Analysis

Operation Neusploit demonstrates advanced defensive evasion, including:

• Geofenced payload delivery, where malicious DLLs are served only to targeted regions.
• Sleep-based sandbox detection to identify analysis environments.
• DLL proxying and API hashing to obscure malicious behavior.
• Steganography to conceal shellcode within benign-looking image files.

Attribution

ThreatLabz attributed this campaign to APT28 based on significant overlaps with previous activities, such as Operation Phantom Net Voxel, and the use of NotDoor variants.

Recommendations

1. Immediately install the January 26, 2026, security updates for all affected Microsoft Office versions, especially Office 2016 and 2019.
2. Mitigation: For environments unable to patch immediately, apply Microsoft’s registry-based COM compatibility mitigation to block the vulnerable OLE control. This mitigation provides interim protection until updates can be fully applied.
   For instructions to apply the mitigations, refer https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
3. Enforce policies to block or restrict Office files from untrusted sources, especially those delivered via email or downloaded from the internet.
4. Educate users on the risks of opening unexpected or unsolicited Office documents, even if they appear legitimate. Reinforce reporting procedures for suspicious attachments or unusual Office behavior.
5. Disable Outlook VBA macros by default, especially VbaProject.OTM execution and macro execution at Outlook startup.
6. Hunt for behaviors associated with:
   • COM hijacking (CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D})
   • Suspicious scheduled tasks (e.g., OneDriveHealth)
   • DLL proxying of legitimate Windows components (e.g., EhStoreShell.dll)
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/ed511d287a2bfd32afd5e1a19a2f82d30dba4e38296b431a2f2dc151dc037479/iocs

Source:

• https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
• https://blog.polyswarm.io/fancy-bear-leveraging-cve-2026-21509-in-operation-neusploit
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.