Russian state-linked threat actor APT28, also known as Fancy Bear or UAC-0001, has launched a highly targeted espionage campaign against European government and critical infrastructure entities. New research from Trellix indicates that the group, which is associated with the Russian GRU, is currently focusing on maritime and transport organizations across several nations, including Poland, Ukraine, Greece, and Turkey.

Exploiting CVE-2026-21509

The campaign’s success hinges on the rapid weaponization of CVE-2026-21509, a security feature bypass vulnerability in Microsoft Office. APT28 reportedly deployed spear-phishing documents exploiting this flaw within 24 hours of its public disclosure. Unlike traditional phishing methods that rely on social engineering to enable macros, this exploit triggers automatically when the document is opened.

The exploit leverages the WebDAV protocol to retrieve external payloads from infrastructure controlled by the attackers. This zero-interaction capability allows for a stealthy initial compromise, effectively bypassing standard security warnings that usually accompany macro-enabled files.

A Sophisticated Malware Toolset

Trellix researchers identified a layered infection chain designed to maintain persistence and evade detection. The campaign utilizes a mix of custom implants and legitimate services to blend malicious activity with normal network traffic. Key components of the toolkit include:

• BeardShell: A custom C++ implant specifically attributed to APT28, used for command execution and data exfiltration.
• NotDoor: A macro-enabled Outlook VBA backdoor that provides persistent access to email systems.
• Filen.io Abuse: The attackers use this legitimate cloud storage service for command-and-control (C2) communication, making it difficult for security software to distinguish the traffic from authorized cloud usage.
• COM Hijacking: A technique used for maintaining a foothold on the infected system while minimizing forensic footprints.

Tactical Focus and Strategic Targeting

Between January 28 and 30, 2026, the adversary executed a concentrated 72-hour surge of activity. During this window, at least 29 distinct spear-phishing emails were sent to targets across nine Eastern European nations. The distribution of targets highlights a clear strategic intent: approximately 40% of targets were defense ministries, 35% were transportation and logistics operators, and 25% were diplomatic entities.

The campaign notably utilized compromised government accounts from countries such as Romania, Bolivia, and Ukraine to send the malicious emails, increasing the likelihood that recipients would trust the communications. This methodology reflects the advanced resources and persistence typical of Russian military intelligence operations.

Conclusion

The rapid exploitation of CVE-2026-21509 underscores the agility of APT28 in integrating new vulnerabilities into their existing tradecraft. By combining one-day exploits with legitimate cloud services and multi-stage malware, the group continues to pose a significant threat to European maritime and transport security. Organizations are urged to apply out-of-band security updates immediately to mitigate the risk of compromise.