Listen to the article
A new wave of attacks exploiting a Microsoft Office vulnerability linked to the Russia‑connected APT28 group continues despite an emergency security patch, employing sophisticated malware techniques and multi-stage exploits targeting Central and Eastern Europe.
Security researchers have linked a fresh wave of Microsoft Office exploits to the Russia‑linked advanced persistent threat group APT28, which security firms say has used specially crafted RTF documents to gain remote code execution on vulnerable systems. According to reporting on the campaign, dubbed Operation Neusploit, victims were concentrated in Central and Eastern Europe, including Ukraine, Slovakia and Romania.
Researchers observed the operation employing social‑engineering lures in multiple languages to increase click‑through rates, and identified a multi‑stage chain that begins when a target opens a weaponised RTF file. Industry posts and vendor briefings noted that the exploitation vector relies on a Microsoft Office flaw that allows attackers to bypass Object Linking and Embedding mitigations.
Microsoft issued an emergency, out‑of‑band security update to address CVE‑2026‑21509 on 26 January 2026, yet multiple sources report exploitation continuing after that date, indicating threat actors retained access or had additional means of compromise even once patches were available. The vulnerability was scored as high severity and has been added to mitigation lists used by national and enterprise responders.
Analysis of the campaign shows the attackers used at least two distinct dropper families to deliver follow‑on tooling. One variant was observed deploying a lightweight Outlook‑focused component that collects and exfiltrates email items, modifying Outlook settings to facilitate automatic macro execution and avoid leaving copies in the Sent folder. Security writeups describe this as a streamlined evolution of earlier APT28 mail‑stealing implants.
A second, more elaborate dropper establishes persistence and loads a shellcode‑staging DLL via COM‑interface hijacking and a scheduled task. The loader employs anti‑analysis checks and hides a payload inside an image using least‑significant‑bit steganography before hosting a .NET implant in memory, techniques that complicate detection and forensic recovery.
The final stage observed in analysed samples is a Covenant Grunt implant that uses cloud storage APIs as a covert command‑and‑control bridge, with strings and configuration obfuscated to frustrate simple detection. Several vendors and incident responders noted behavioural overlaps with prior APT28 campaigns, including reuse of C2 patterns and targeting consistent with the group’s historical victimology.
Authorities and vendors urge immediate installation of Microsoft’s January 2026 update for affected Office builds and recommend defensive actions while organisations deploy fixes: block or sandbox RTFs from untrusted origins, monitor for changes to Outlook macro and content‑download registry keys, watch for unusual scheduled tasks or COM registration changes, and inspect outbound connections to cloud service APIs for anomalous traffic. National guidance emphasises prompt remediation and, where patching is delayed, use of Microsoft’s documented registry mitigations to reduce exposure.
Source Reference Map
Inspired by headline at: [1]
Sources by paragraph:
Source: Fuse Wire Services
Access Our Exclusive Research
In-depth analysis and actionable data to keep you ahead of the curve.
Never Miss an Update. Get our latest research delivered straight to your inbox.