Russia-Linked APT28 Exploits New Microsoft Office Vulnerability in Operation Neusploit
A sophisticated state-sponsored threat actor, widely identified as APT28 (also known by the moniker UAC-0001), has been linked to a series of cyberattacks leveraging a newly disclosed security flaw in Microsoft Office. These intrusions, part of a campaign codenamed Operation Neusploit, were detected exploiting CVE-2026-21509, a critical vulnerability that allows for security feature bypass within the popular office suite.
The covert activities by APT28 were first observed on January 29, 2026, according to Zscaler ThreatLabz. The attacks specifically targeted users in Ukraine, Slovakia, and Romania, occurring just three days after Microsoft publicly acknowledged the existence of the bug. This timing suggests a rapid weaponization of the vulnerability by the advanced persistent threat group.
Operation Neusploit: The Attack Chain and Payload Delivery
CVE-2026-21509, carrying a CVSS score of 7.8, permits an unauthorized attacker to deliver a specially crafted Office file, which, when opened, triggers the exploitation of the security feature bypass. Security researchers Sudeep Singh and Roy Tay noted that the threat actor employed elaborate social engineering tactics, crafting lure documents in both English and the native languages of the targeted countries—Romanian, Slovak, and Ukrainian—to maximize victim engagement.
To ensure precision and evade detection, APT28 implemented server-side evasion techniques. The malicious payload, a Dynamic Link Library (DLL), was reportedly delivered only when requests originated from the targeted geographic regions and contained a specific User-Agent HTTP header. This meticulous approach aims to limit exposure and complicate forensic analysis.
MiniDoor Email Stealer
The initial attack vector involves a malicious Rich Text Format (RTF) file that exploits the CVE-2026-21509 vulnerability. This leads to the delivery of one of two distinct dropper versions. The first dropper is designed to deploy MiniDoor, a C++-based DLL file. MiniDoor is engineered to systematically steal user emails from various Outlook folders, including Inbox, Junk, and Drafts. The pilfered emails are then forwarded to two hard-coded email addresses associated with the threat actor: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me.
MiniDoor is believed to be a simplified iteration of the NotDoor malware, also known as GONEPOSTAL, which was detailed by S2 Grupo LAB52 in September 2025. This indicates a potential reuse or adaptation of existing tools within APT28’s arsenal.
PixyNetLoader and Covenant Grunt Implant
The second dropper variant, dubbed PixyNetLoader, initiates a more complex attack sequence. This dropper contains embedded additional components and employs COM object hijacking to establish persistence on the compromised host system. Among the extracted malicious payloads are a shellcode loader, named “EhStoreShell.dll,” and a PNG image file styled as “SplashScreen.png.”
The primary function of the shellcode loader is to parse and execute shellcode concealed within the PNG image using steganography. Crucially, this malicious logic is only activated if the infected machine is not an analysis environment and if the host process initiating the DLL is “explorer.exe.” If these conditions are not met, the malware remains dormant, further complicating detection efforts.
Ultimately, the executed shellcode is responsible for loading an embedded .NET assembly. This assembly is identified as a Grunt implant, a component of the open-source .NET COVENANT command-and-control (C2) framework. APT28’s utilization of the Grunt Stager was previously highlighted by Sekoia in September 2025 in relation to a campaign designated as Operation Phantom Net Voxel.
Similarities and Broader Implications
Zscaler noted significant overlaps between the PixyNetLoader infection chain and the techniques observed in Operation Phantom Net Voxel. While the earlier campaign relied on VBA macros, the current activity substitutes this with a DLL payload but retains similar evasion and execution methods. These include COM hijacking for execution, DLL proxying, XOR string encryption for data obfuscation, and the use of steganography to embed the Covenant Grunt and its shellcode loader within a PNG image.
The findings from Zscaler align with a separate report by the Computer Emergency Response Team of Ukraine (CERT-UA). CERT-UA also warned of APT28’s exploitation of CVE-2026-21509, specifically using Word documents to target over 60 email addresses associated with central executive authorities within Ukraine. Metadata analysis from one of the lure documents indicated it was created on January 27, 2026, further corroborating the timeline of these attacks.
CERT-UA detailed that opening such documents via Microsoft Office triggers a network connection to an external resource using the WebDAV protocol. This process leads to the download of a file with a shortcut file name, which contains program code designed to download and execute a further file. This chain of events ultimately leads to the deployment of the Covenant framework’s Grunt implant, mirroring the PixyNetLoader attack described by Zscaler.
Looking Ahead
The ongoing exploitation of newly disclosed vulnerabilities by advanced persistent threats like APT28 underscores the continuous need for prompt patching and robust endpoint security solutions. The specific focus on geopolitical targets in Eastern Europe suggests continued strategic objectives driving these cyber operations. Organizations worldwide will need to remain vigilant and monitor for further activity associated with Operation Neusploit and similar campaigns, as threat actors are likely to adapt their tactics. The full extent of compromised systems and data exfiltrated by APT28 in this campaign is still under investigation, with further details anticipated as analysis progresses.