The threat actor APT28 (aka UAC-0001), known for state-sponsored espionage, has been observed exploiting a recently disclosed Microsoft Office vulnerability identified as CVE-2026-21509. This vulnerability is a security feature bypass that allows an attacker to craft malicious Office files (specifically RTF documents) that, when opened, trigger the execution of malicious code without requiring macros or other user-enabled features. The exploitation was first observed shortly after public disclosure, indicating rapid weaponization. The attack campaign, named Operation Neusploit, targets users primarily in Ukraine, Slovakia, and Romania, leveraging social engineering lures in English and localized languages to increase success rates. The attackers employ server-side evasion by only delivering malicious payloads to requests originating from targeted geographies and with specific User-Agent headers, reducing detection risk. The attack chain involves two main droppers: one delivers MiniDoor, a C++ DLL designed to steal emails from multiple folders and exfiltrate them to hardcoded threat actor email addresses; the other delivers PixyNetLoader, a more complex loader that uses COM object hijacking for persistence and extracts shellcode hidden via steganography inside a PNG image. This shellcode loads a .NET assembly implant (Grunt) associated with the Covenant C2 framework, enabling remote control and further payload deployment. The malware remains dormant if executed in analysis environments or if launched by processes other than explorer.exe, demonstrating anti-analysis techniques. The campaign shares similarities with a previous APT28 campaign (Operation Phantom Net Voxel) but replaces VBA macros with DLL-based payloads, indicating evolution in tactics. CERT-UA reports confirm targeting of Ukrainian government email addresses, highlighting the espionage focus. The attack chain also involves WebDAV protocol usage to download additional malicious components, further complicating detection and mitigation.

For European organizations, especially governmental and critical infrastructure entities in Ukraine, Slovakia, and Romania, this threat poses significant risks to confidentiality and operational security. The email-stealing MiniDoor DLL compromises sensitive communications, potentially exposing classified or strategic information. The deployment of the Covenant Grunt implant enables persistent remote access, allowing attackers to conduct prolonged espionage, lateral movement, and data exfiltration. The use of advanced evasion techniques and steganography complicates detection and incident response efforts. Organizations relying heavily on Microsoft Office are at risk of compromise through seemingly benign document interactions, increasing the attack surface. The targeting of central executive authorities in Ukraine suggests a focus on political and military intelligence, which could have broader geopolitical implications. The stealthy nature of the malware and its persistence mechanisms could lead to long-term undetected intrusions, undermining trust in IT systems and potentially disrupting critical services. Additionally, the attack vector via Office documents means that supply chain partners and contractors using Office products in these countries may also be at risk, amplifying the threat's reach.

Organizations should immediately apply any available Microsoft patches addressing CVE-2026-21509 to eliminate the vulnerability. In the absence of patches, implement strict Office macro and active content restrictions, and disable RTF file preview in email clients to reduce exposure. Deploy advanced email filtering solutions capable of detecting and quarantining suspicious RTF documents, especially those originating from or targeting the affected countries. Implement network-level geofencing and User-Agent filtering to detect and block anomalous connections consistent with the attacker's evasion techniques. Employ endpoint detection and response (EDR) tools with capabilities to identify COM hijacking, DLL proxying, and steganography-based payloads. Conduct user awareness training focused on recognizing spear-phishing attempts in localized languages and the risks of opening unsolicited Office documents. Monitor network traffic for WebDAV protocol usage anomalies and unusual outbound SMTP traffic that could indicate data exfiltration. Establish robust incident response plans that include forensic analysis of Office document metadata and behavioral indicators associated with MiniDoor and PixyNetLoader. Finally, collaborate with national CERTs and threat intelligence providers to stay updated on emerging indicators of compromise related to this campaign.