Russian state-sponsored hackers Fancy Bear (aka APT 28) are exploiting CVE-2026-21509, a Microsoft Office vulnerability for which Microsoft released an emergency fix last week.
The exploitation
CVE-2026-21509 allows unauthorized attackers to bypass a security feature (OLE mitigations in Microsoft 365 and Microsoft Office) locally, by creating and tricking targets into opening booby-trapped Office files.
On January 29, 2026 – three days after Microsoft released the aforementioned fix – Zscaler researchers flagged an email phishing campaign delivering backdoors via weaponized RTF files.
“We observed two variants of the attack chain. Both variants begin with a specially crafted RTF file that weaponizes CVE-2026-21509 and, after successful exploitation, downloads a malicious dropper DLL from the threat actor’s server,” they shared.
“The first dropper variant DLL is responsible for deploying a malicious Microsoft Outlook Visual Basic for Applications (VBA) project named MiniDoor. MiniDoor’s primary goal is to steal the user’s emails and forward them to the threat actor.”
The second dropper variant triggeres a multi-stage infection chain that starts with the (previously undocumented) PixyNetLoader.
PixyNetLoader drops malicious components on the target endpoint and prepares the Windows environment for the download and execution of additional payloads, including a Grunt implant associated with the open source Covenant C2 framework.
The targets
According to Zscaler, the targets of these campaigns were users in Central and Eastern Europe, including Ukraine, Slovakia, and Romania, and the emails were written in the Romanian, Ukrainian, and English language.
The Ukrainian CERT says that one of the booby-trapped files – Consultation_Topics_Ukraine(Final).doc – was created on January 27, just a day after Microsoft’s out-of-band fix was released. The file contains text related to the consultations of the Committee of Permanent Representatives to the EU (COREPER) on the situation in Ukraine.
Another file – BULLETEN_H.doc – was sent to via email to 60+ email addresses, predominantly belonging to the central executive authorities of Ukraine, the CERT noted. The email was purportedly sent by the Ukrainian Hydrometeorological Center.
In the last days of January 2026, three more documents with a similar exploit were discovered. Ukraine’s CERT says that they expect the number of attacks using this particular vulnerability to increase, as attackers are betting on targets being slow (or unable) to patch or mitigate the flaw.
Attack attribution
The targets, the MiniDoor backdoor, the abuse of the Filen (cloud storage) API for C2 communication by the Covenant Grunt samples, and the techniques used in the attacks all point to the involvement of the Russia-linked threat actor APT28, according to Zscaler researchers.
It’s unknown whether the group exploited CVE-2026-21509 before Microsoft devised a fix, but it seems likely, as they’ve been know to leverage other zero-day vulnerabilities throughout the years.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
