The Russia-linked advanced persistent threat group APT28 has been observed actively exploiting a zero-day vulnerability in Microsoft Office to deliver malware through a sophisticated multi-stage attack campaign.
Security researchers from Zscaler ThreatLabz identified this new operation, dubbed Operation Neusploit, targeting users across Central and Eastern Europe with weaponized RTF documents.
The campaign specifically targeted Ukraine, Slovakia, and Romania using social engineering lures written in English, Romanian, Slovak, and Ukrainian to increase effectiveness.
Microsoft released an emergency out-of-band security update on January 26, 2026, but researchers observed active exploitation continuing on January 29, 2026, indicating threat actors maintained access even after patch availability.
In January 2026, ThreatLabz detected APT28 leveraging specially crafted Microsoft RTF files to exploit CVE-2026-21509, a critical remote code execution vulnerability.
The attack chain begins when victims open malicious RTF documents, triggering CVE-2026-21509 exploitation.
Upon successful compromise, the malware downloads a dropper DLL from attacker infrastructure. ThreatLabz identified two distinct dropper variants deploying different payloads, demonstrating the campaign’s versatility.
MiniDoor Email Stealer Deployed
The first dropper variant deploys MiniDoor, a malicious Microsoft Outlook Visual Basic for Applications project designed to steal emails.
MiniDoor is a lightweight 64-bit DLL written in C++ that implements malicious functionality through the exported function UIClassRegister.
The dropper uses XOR encryption to decrypt embedded strings and the VBA project stored in its .rdata section.
After decryption, the dropper writes MiniDoor to %appdata%MicrosoftOutlookVbaProject.OTM and modifies Windows registry keys to downgrade Outlook security settings.
These registry modifications enable all macros in Outlook, turn off content download warnings, and ensure the malicious macro provider loads automatically.
ThreatLabz analysis reveals MiniDoor functions as a simplified version of NotDoor, previously attributed to APT28 by Lab52 researchers in September 2025.
MiniDoor monitors the MAPILogonComplete event and systematically searches Inbox, RssFeeds, Junk, and Drafts folders for existing emails.
The malware forwards discovered messages to two hardcoded attacker-controlled email addresses: [email protected] and [email protected].
To maintain stealth, MiniDoor sets the DeleteAfterSubmit property to prevent copies from appearing in the Sent folder.
The second dropper variant implements a more complex infection chain through PixyNetLoader, a previously undocumented tool that establishes persistence and deploys additional components.
PixyNetLoader decrypts embedded payloads using a 71-byte rolling XOR key and drops three files: SplashScreen.png, EhStoreShell.dll, and office.xml.
The malware achieves persistence through COM object hijacking by modifying registry keys associated with the legitimate Enhanced Storage Shell Extension DLL.
PixyNetLoader creates a Windows scheduled task named OneDriveHealth that executes one minute after registration.
This task terminates and restarts explorer.exe, triggering the malicious EhStoreShell.dll to load through the hijacked COM interface.
The DLL implements anti-analysis techniques including host process verification and sleep timing checks to detect sandbox environments.
If these checks pass, EhStoreShell.dll extracts shellcode hidden within SplashScreen.png using steganography techniques.
The steganography implementation stores encoded data in the least significant bits of PNG pixel bytes.
After extraction, EhStoreShell.dll allocates executable memory, copies the shellcode, and transfers execution control. The shellcode employs CLR hosting techniques to load an embedded .NET assembly directly into memory.
Covenant Grunt Implant
The final payload is a Covenant Grunt implant, part of the open-source .NET Covenant command-and-control framework.
This implant uses the Filen API as a C2Bridge to communicate with attacker infrastructure, abusing legitimate cloud storage services to evade network detection.
Strings within the sample are obfuscated using XOR encoding with the key EIZ4EG2K8R followed by Base64 encoding.
ThreatLabz attributes Operation Neusploit to APT28 with high confidence based on multiple factors. The victimology aligns with APT28’s historical targeting of Central and Eastern European countries.
MiniDoor represents a stripped-down variant of NotDoor, previously linked to APT28. The abuse of Filen API for C2 communications matches tactics documented in Operation Phantom Net Voxel, another APT28 campaign reported by Sekoia in September 2025.
The threat actors implemented sophisticated server-side evasion to limit exposure. Attacker-controlled servers deliver malicious DLL payloads only when requests originate from targeted geographic regions and include correct User-Agent HTTP headers.
This geographic filtering prevents researchers outside target regions from easily obtaining samples.
Organizations should immediately apply the Microsoft security update released on January 26, 2026, to address CVE-2026-21509.
Users should exercise caution when opening RTF documents from unknown sources. Security teams should monitor for registry modifications related to Outlook security settings and investigate any unauthorized VBA projects in Microsoft Outlook directories.
Network defenders should scrutinize outbound connections to Filen API infrastructure and monitor for COM hijacking attempts targeting EhStoreShell.dll.
The campaign demonstrates APT28’s continued evolution in tactics, techniques, and procedures by weaponizing CVE-2026-21509 shortly after disclosure and maintaining exploitation even after patch availability.
ThreatLabz continues monitoring Operation Neusploit and collaborating with Microsoft to track this evolving threat.
IOCs
File indicators
| Hashes (MD5) | Hashes (SHA1) | Hashes (SHA256) | Filename | Description |
|---|---|---|---|---|
| 95e59536455a089ced64f5af2539a449 | 4592e6173a643699dc526778aa0a30330d16fe08 | b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546 | Consultation_Topics_Ukraine(Final).doc | RTF file exploiting CVE-2026-21509. |
| 2f7b4dca1c79e525aef8da537294a6c4 | c4799d17a4343bd353e0edb0a4de248b99295d4d | 1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50 | Courses.doc | RTF file exploiting CVE-2026-21509. |
| 4727582023cd8071a6f388ea3ba2feaa | d788d85335e20bb1f173d4d0494629d36083dddc | 5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02 | N/A | RTF file exploiting CVE-2026-21509. |
| d47261e52335b516a777da368208ee91 | c8c84bf33c05fb3a69bc5e2d6377b73649b93dce | fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b | 1291.doc | RTF file exploiting CVE-2026-21509. |
| 7c396677848776f9824ebe408bbba943 | D577c4a264fee27084ddf717441eb89f714972a5 | c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f | BULLETEN_H.doc | RTF file exploiting CVE-2026-21509. |
| f3b869a8d5ad243e35963ba6d7f89855 | c1b272067491258ea4a2b1d2789d82d157aaf90a | a944a09783023a2c6c62d3601cbd5392a03d808a6a51728e07a3270861c2a8ee | 2_2.d | Dropper DLL (Variant 1) for MiniDoor. |
| f05d0b13c633ad889334781cf4091d3e | 7bbb530eb77c6416f02813cd2764e49bd084465c | bb23545380fde9f48ad070f88fe0afd695da5fcae8c5274814858c5a681d8c4e | VbaProject.OTM | MiniDoor |
| 859c4b85ed85e6cc4eadb1a037a61e16 | da1c3e92f69e6ca0e4f4823525905cb6969a44ad | 0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e | table.d | PixyNetLoader dropper DLL (Variant 2). |
| e4a5c4b205e1b80dc20d9a2fb4126d06 | e52a9f004f4359ea0f8f9c6eb91731ed78e5c4d3 | a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1 | EhStoreShell.dll | Shellcode loader |
| 154ff6774294e0e6a46581c8452a77de | 22da6a104149cad87d5ec5da4c3153bebf68c411 | 2822c72a59b58c00fc088aa551cdeeb92ca10fd23e23745610ff207f53118db9 | SplashScreen.png | PNG file containing shellcode embedded using steganography. |
| ee0b44346db028a621d1dec99f429823 | cea7e9323d79054f92634f4032c26d30c1cedd7e | 9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8 | office.xml | Windows scheduled task configuration file. |
| ea6615942f2c23dba7810a6f7d69e2da | 23b6f9c00b9d5475212173ec3cbbcff34c4400a7 | 3f446d316efe2514efd70c975d0c87e12357db9fca54a25834d60b28192c6a69 | N/A | Covenant Grunt implant using Filen API as C2Bridge. |
Network indicators
| Type | Indicator |
|---|---|
| Malicious domain | freefoodaid[.]com |
| Malicious domain | wellnesscaremed[.]com |
| URL hosting MiniDoor dropper DLL | hxxps://freefoodaid[.]com/documents/2_2.d |
| URL hosting PixyNetLoader | hxxps://freefoodaid[.]com/tables/tables.d |
| URL hosting LNK | hxxps://freefoodaid[.]com/documents/2_2.lNk |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.