APT28, a state-sponsored hacking group with ties to Russia, is actively exploiting a critical zero-day vulnerability in Microsoft Office. This sophisticated campaign, dubbed Operation Neusploit, has targeted organizations in Central and Eastern Europe, with a particular focus on Ukraine, Slovakia, and Romania. The threat actors are leveraging specially crafted Microsoft Rich Text Format (RTF) files to deploy malicious backdoors through a multi-stage infection chain, marking a significant escalation in APT28’s operational capabilities.
Zscaler analysts identified the campaign in January 2026 and attributed it to APT28 due to notable overlaps in their tools, techniques, and procedures with previous known operations. The threat actors were observed actively exploiting the vulnerability in the wild on January 29, 2026, a mere three days after Microsoft released an emergency security update to patch the flaw, indicating the attackers’ swiftness in leveraging newly discovered exploits.
APT28 Exploiting Microsoft Office 0-Day in Operation Neusploit
The attack vector begins with socially engineered emails designed to trick recipients into opening malicious RTF documents. These emails are carefully crafted in both English and the local languages of the targeted regions – Romanian, Slovak, and Ukrainian – to maximize the chances of a successful phishing attempt. Upon opening the weaponized RTF file, the zero-day vulnerability is silently triggered, allowing APT28 to execute arbitrary code on the victim’s system without any visible indication to the user.
This exploitation targets a critical vulnerability, identified as CVE-2026-21509, within the Microsoft Office RTF handler. The vulnerability’s severity is rated as Critical and allows for remote code execution, a capability that poses a substantial risk to affected systems and data. While Microsoft issued a patch on January 26, 2026, the active exploitation in the wild shortly after highlights the persistent threat posed by such vulnerabilities before widespread patching occurs.
Infection Mechanism and Persistence Strategy
Operation Neusploit employs two distinct variants of dropper malware, each designed to deliver different payloads to compromised systems. The first variant deploys MiniDoor, a lightweight tool developed in Microsoft Outlook Visual Basic for Applications (VBA). MiniDoor’s primary function is to steal emails by monitoring Outlook login events and systematically harvesting communications from infected mailboxes. These stolen emails are then forwarded to hardcoded email addresses controlled by the attackers.
To ensure continued access, this dropper variant modifies Windows registry settings. These modifications aim to disable Outlook’s built-in security protections and establish a mechanism for automatically loading the malicious macro every time Outlook is launched. This persistence technique allows APT28 to maintain a foothold and continue its espionage activities.
The second dropper variant distributes PixyNetLoader. This malware establishes a foothold that enables the deployment of the Covenant Grunt implant, granting the attackers comprehensive command-and-control capabilities over the compromised system. Both variants of the dropper utilize server-side evasion techniques, selectively delivering their payloads only in response to requests originating from targeted geographic regions and possessing specific HTTP headers. This targeted delivery approach makes the detection and analysis of the malware significantly more challenging for security researchers.
The ongoing exploitation of this Microsoft Office 0-day signifies the evolving tactics of advanced persistent threat groups like APT28. Organizations in Eastern and Central Europe should remain vigilant, ensuring that all Microsoft Office installations are promptly updated with the latest security patches. Continued monitoring for unusual email activity and system behavior is crucial in mitigating the risks associated with such sophisticated cyberattacks. The ability of APT28 to rapidly weaponize and deploy exploits shortly after patch availability underscores the importance of proactive security measures and rapid incident response capabilities for organizations worldwide.