Ukraine’s CERT-UA has reported active exploitation of CVE‑2026‑21509, a zero‑day vulnerability in Microsoft Office that was patched in an emergency out‑of‑band update on January 26, 2026.
Attack Details
- Threat actor: APT28 (Fancy Bear / Sofacy), linked to Russia’s GRU.
- Initial lure: Malicious DOC files themed around EU COREPER consultations and impersonating the Ukrainian Hydrometeorological Center.
- Targets: Over 60 government-related addresses in Ukraine, plus EU-based organizations.
- Timing: Malicious documents created one day after Microsoft’s patch release.
Exploit Chain
- Victim opens malicious DOC file.
- Exploitation triggers WebDAV-based download chain.
- Components deployed:
- Malicious DLL (EhStoreShell.dll) via COM hijacking.
- Shellcode hidden in SplashScreen.png image.
- Scheduled task (OneDriveHealth) to restart
explorer.exe.
- Payload: COVENANT malware framework, previously linked to APT28.
- Uses Filen.io cloud storage for command‑and‑control (C2).
Campaign Expansion
- CERT-UA observed three additional malicious documents used against EU organizations.
- Domains supporting the attacks were registered same day, showing rapid infrastructure setup.
Defensive Guidance
- Patch immediately: Apply the latest Office updates (2016, 2019, LTSC 2021, LTSC 2024, Microsoft 365 Apps).
- Restart Office apps: Updates only apply after restart.
- Mitigation option: If patching isn’t possible, use registry-based mitigations.
- Monitor traffic: Watch for connections to Filen.io or block them.
- Extra protection: Microsoft Defender’s Protected View blocks malicious Office files from the Internet unless explicitly trusted.
Takeaway
APT28 continues to exploit freshly patched Office vulnerabilities with rapid turnaround, combining phishing lures, COM hijacking, and cloud-based C2. This underscores the importance of fast patch deployment and network monitoring for unusual cloud storage traffic.
Leave a Reply