APT28, the Russia-linked advanced persistent threat group, has launched a sophisticated campaign targeting Central and Eastern Europe using a zero-day vulnerability in Microsoft Office.
The threat actors leveraged specially crafted Microsoft Rich Text Format (RTF) files to exploit the vulnerability and deliver malicious backdoors through a multi-stage infection chain.
The campaign, tracked as Operation Neusploit, represents a significant escalation in APT28’s capabilities and demonstrates their continued focus on high-value targets across Ukraine, Slovakia, and Romania.
The attack begins when users receive socially engineered emails containing weaponized RTF documents.
These messages are customized in English and local languages including Romanian, Slovak, and Ukrainian to increase the likelihood of successful infection.
Once victims open these files, the vulnerability is silently triggered, allowing the threat actors to execute arbitrary code on the compromised system without any visible warning to the user.
Zscaler analysts identified this campaign in January 2026 and attributed it to APT28 based on significant overlaps in tools, techniques, and procedures with the group’s known operations.
The researchers observed active exploitation occurring in the wild on January 29, 2026, just three days after Microsoft released an emergency security update to address the vulnerability.
Infection Mechanism and Persistence Strategy
The infection chain involves two distinct variants of dropper malware designed to deploy different payloads to compromised systems.
The first variant deploys MiniDoor, a lightweight email-stealing tool built using Microsoft Outlook Visual Basic for Applications (VBA).
MiniDoor operates by monitoring Outlook login events and systematically harvesting emails from the infected mailbox. The malware forwards stolen communications to hardcoded email addresses controlled by the attackers.
To maintain persistence, the dropper modifies Windows registry settings to disable Outlook security protections and automatically load the malicious macro each time the application launches.
- CVE ID: CVE-2026-21509
- Vulnerability Type: Remote Code Execution
- Affected Component: Microsoft Office RTF Handler
- Severity: Critical
- Patch Date: January 26, 2026
The second dropper variant deploys PixyNetLoader, which establishes a foothold for deploying the Covenant Grunt implant, providing the attackers with command-and-control capabilities.
Both variants employ server-side evasion techniques, delivering payloads only to requests originating from targeted geographic regions with correct HTTP headers. This selective delivery makes detection and analysis significantly more challenging for security researchers worldwide.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
