Russia’s infamous APT28 (Fancy Bear/Forest Blizzard) threat group has weaponized a recently patched Microsoft Office vulnerability in just three days, launching a sophisticated espionage campaign dubbed Operation Neusploit targeting government and diplomatic entities across Central and Eastern Europe.
Rapid Weaponization of CVE-2026-21509
Zscaler ThreatLabz researchers discovered that APT28 began exploiting CVE-2026-21509—a critical Microsoft Office memory corruption flaw—within 72 hours of Microsoft’s patch release. The vulnerability allows remote code execution via specially crafted RTF documents, making it ideal for spear-phishing campaigns against high-value targets.
Two Attack Variants: MiniDoor and PixyNetLoader
The campaign deploys two distinct attack chains:
Variant 1: MiniDoor Email Stealer
The first variant installs MiniDoor, a lightweight Outlook VBA-based malware designed specifically for email theft. Key capabilities include:
- Automatically forwarding all emails from Inbox, RSS Feeds, Junk, and Drafts folders to attacker-controlled addresses
- Intercepting new incoming emails in real-time via the Application_NewMailEx event
- Deleting forwarded copies from the Sent folder to avoid detection
- Modifying Windows Registry to disable Outlook macro security warnings
Variant 2: PixyNetLoader with Steganography
The second, more sophisticated variant deploys PixyNetLoader, a previously undocumented dropper that uses multiple evasion techniques:
- COM Object Hijacking – Hijacks the Enhanced Storage Shell Extension (EhStorShell.dll) for persistence via explorer.exe
- PNG Steganography – Hides malicious shellcode in Least Significant Bits (LSB) of image pixels
- Sandbox Detection – Checks whether the Sleep() API has been short-circuited by analysis environments
- Scheduled Task Abuse – Creates a task named “OneDriveHealth” that restarts explorer.exe to trigger the payload
Covenant C2 Framework via Filen API
The final payload is a Grunt implant from the open-source Covenant C2 framework. APT28 configured the implant to use the legitimate Filen cloud storage API as a C2 bridge—a technique previously observed in APT28 campaigns—making detection through network analysis significantly more difficult.
Indicators of Compromise
ThreatLabz has published complete IOCs including:
- Mutexes:
adjgfenkbe,asagdugughi41,dvyubgbqfusdv32 - File paths:
%appdata%\Microsoft\Outlook\VbaProject.OTM - Registry keys modifying Outlook security settings
- XOR encryption keys and decryption logic
Full technical details and extraction tools are available on the ThreatLabz GitHub repository.
Why This Matters
APT28’s rapid weaponization of CVE-2026-21509 within 72 hours of patch release demonstrates that organizations cannot rely on delayed patching strategies. The campaign specifically targets diplomatic and government entities in Central and Eastern Europe—consistent with Russia’s geopolitical objectives—making timely patch deployment and email security monitoring critical for organizations in these regions.
Recommendations:
- Apply Microsoft’s February 2026 security updates immediately
- Monitor for suspicious Outlook VBA project modifications
- Audit registry changes to Outlook security settings
- Block scheduled task creation by non-admin users where possible
- Implement network monitoring for Filen API communications from non-standard applications
Source: Zscaler ThreatLabz
