Russian Hackers Weaponize Microsoft Office Zero-Day Just Days After Patch Release

Russian Hackers Weaponize Microsoft Office Zero-Day Just Days After Patch Release

Ukraine’s Computer Emergency Response Team (CERT-UA) has confirmed that Russian state-aligned hackers are actively exploiting CVE-2026-21509, a recently patched Microsoft Office zero-day vulnerability, in targeted cyber-espionage attacks.

The flaw was addressed by Microsoft in an out-of-band emergency security update on January 26, after being flagged as actively exploited in the wild.

Within three days of the patch, CERT-UA observed malicious Office documents abusing the vulnerability in attacks targeting Ukrainian and EU government entities.

Who Is Behind the Attacks

CERT-UA attributes the campaign to APT28, also known as Fancy Bear or Sofacy, a long-running cyber-espionage group linked to Russia’s military intelligence (GRU).

APT28 is known for rapidly operationalizing zero-day vulnerabilities to support geopolitical and intelligence-driven objectives.

How the Attack Works

The campaign relies on weaponized DOC files delivered via phishing emails. Observed lures include:

• Fake EU COREPER consultation documents
• Emails impersonating the Ukrainian Hydrometeorological Center
• Distribution to 60+ government-related email addresses

Once a victim opens the document, the exploit triggers a WebDAV-based infection chain that:

1. Downloads malicious components from a remote server
2. Installs malware using COM hijacking
3. Loads a rogue DLL (EhStoreShell.dll)
4. Executes shellcode hidden inside an image file (SplashScreen.png)
5. Establishes persistence via a scheduled task (OneDriveHealth)

The final payload launches COVENANT, a post-exploitation framework previously linked to APT28 operations.

Cloud Infrastructure Used for C2

CERT-UA reports that the attackers use Filen (filen.io) cloud storage as part of their command-and-control (C2) infrastructure.

Defenders are advised to:

• Monitor for suspicious connections to Filen services
• Consider blocking Filen traffic in high-risk environments

Campaign Expanding Beyond Ukraine

Further analysis revealed at least three additional malicious documents used against EU-based organizations, indicating a broader regional espionage campaign.

In one case, attacker infrastructure domains were registered on the same day as the attacks, suggesting rapid operational deployment.

Recommended Actions for Organizations

CERT-UA and Microsoft strongly recommend:

• Immediately applying the latest Microsoft Office updates for:
  • Office 2016
  • Office 2019
  • Office LTSC 2021 & 2024
  • Microsoft 365 Apps
• Restarting Office applications to ensure patches are applied
• Enabling Microsoft Defender Protected View
• Implementing registry-based mitigations if patching is delayed
• Blocking or monitoring WebDAV traffic where not required

Why This Matters

This incident highlights how nation-state threat actors can operationalize zero-day exploits within days, even after patches are released. Organizations delaying updates — especially in government, defense, and critical infrastructure sectors — remain highly exposed.