Fancy Bear has launched a sophisticated campaign exploiting a critical zero-day vulnerability in Microsoft RTF files to target users across Central and Eastern Europe.
The operation, dubbed “Operation Neusploit,” demonstrates the group’s continued evolution in tradecraft and its strategic focus on regions of geopolitical interest to Russia.
The group embedded malicious code within specially crafted RTF documents, disguised with social-engineering lures written in English, Romanian, Slovak, and Ukrainian.
Microsoft released an emergency patch on January 26, 2026, but active exploitation was detected just three days later on January 29, 2026.
Security researchers at Zscaler ThreatLabz discovered that Fancy Bear weaponized CVE-2026-21509, a vulnerability in Microsoft’s RTF file parsing that allows attackers to execute arbitrary code on victim machines.
The attack demonstrates sophisticated targeting capabilities. The malicious servers delivering payloads only respond to requests from specific geographic regions primarily Ukraine, Slovakia, and Romania and check for particular User-Agent strings, ensuring only intended victims receive the malware.
Microsoft Zero-Day
Operation Neusploit employs two distinct attack chains, each deploying different malicious tools. The first variant delivers MiniDoor, a lightweight backdoor that specifically targets Microsoft Outlook.
Once installed, MiniDoor manipulates Microsoft Outlook security settings to allow automatic macro execution without warnings.
It then monitors email activity, systematically copies messages from folders including Inbox, Drafts, and Junk Email, and forwards them to attacker-controlled addresses without leaving traces in the Sent folder.
The second variant introduces PixyNetLoader, a previously unknown malware dropper. This sophisticated tool uses multiple evasion techniques including hiding malicious code inside innocent-looking PNG image files through steganography.
It achieves persistence by hijacking legitimate Windows COM objects, causing the malware to load automatically whenever Windows Explorer starts.
The malware includes anti-analysis features that detect sandbox environments used by security researchers.
Both attack chains ultimately aim to establish long-term access to compromised systems. PixyNetLoader loads a Covenant Grunt implant a command-and-control tool from the open-source Covenant framework.
The attackers abuse the Filen cloud storage API for communications, encoding their traffic to avoid detection by security tools.
Attribution and Implications
Researchers attribute this campaign to Fancy Bear with high confidence based on several factors: the targeting of Eastern European countries matches the group’s historical patterns, the malware shares code similarities with previously identified Fancy Bear tools, and the techniques employed including COM hijacking and steganography align with the group’s known tactics.
Fancy Bear, also known as APT28 attack group, operates as part of Russia’s GRU military intelligence agency.
Active since 2007, the group specializes in espionage targeting government institutions, defense organizations, media outlets, and political entities across NATO countries and regions of Russian strategic interest.
Organizations in targeted regions should immediately apply Microsoft’s patch, implement enhanced email security controls, and monitor for indicators of compromise associated with this campaign.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
