Cybersecurity agencies and private researchers have identified a coordinated espionage campaign leveraging a recently patched vulnerability in Microsoft Office. The activity, attributed to APT28, focuses primarily on government entities. By weaponizing a flaw tracked as CVE-2026-21509, the group has successfully deployed several variants of malware designed for data exfiltration and persistent network access.
The Exploitation of CVE-2026-21509
The vulnerability at the center of these attacks was disclosed by Microsoft in early January 2026. Shortly after the patch was released, there was active exploitation in the wild. The high-severity flaw affects multiple products within the Microsoft Office suite, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog.
APT28, also known by aliases such as Fancy Bear and Forest Blizzard, began distributing malicious documents designed to trigger the exploit upon opening. These documents often mimic official government correspondence to increase the likelihood of victim interaction.
Regional Targeting and Phishing Tactics
According to reports from cybersecurity firms, the attackers utilized localized phishing lures to deceive officials. In Ukraine, the group disguised malicious files as documents from the national hydrometeorological center, targeting more than 60 specific email addresses. Beyond Ukraine, the campaign expanded its reach to EU member states, including Slovakia and Romania, using lures written in both English and local languages.
The attack chains identified by researchers typically involve one of the following methods:
- Direct Malware Installation: The exploit triggers the download of MiniDoor, a refined version of the NotDoor backdoor, specifically built to harvest and exfiltrate sensitive emails.
- Loader-Based Deployment: The exploit initiates PixyNetLoader, which serves as a delivery mechanism for a Covenant implant.
- Red Team Framework Abuse: The use of the open-source Covenant framework allows attackers to utilize legitimate testing tools for unauthorized remote command execution.
Malware Analysis: MiniDoor and Covenant
The technical sophistication of the campaign is evidenced by the deployment of MiniDoor. This backdoor is a streamlined variant of the previously documented NotDoor malware, optimized for stealthy communication with attacker-controlled command-and-control (C2) servers. Its primary objective is the quiet collection of internal communications and strategic data from government networks.
Parallel to the MiniDoor deployment, the use of PixyNetLoader facilitates the execution of the Covenant framework. While Covenant is a tool originally intended for security professionals to conduct red-team exercises, APT28 has repurposed it to maintain a foothold in compromised environments and move laterally through targeted infrastructure.
Conclusion
This latest campaign underscores the persistent threat posed by APT28 as it continues to align its cyber operations with geopolitical objectives in Eastern Europe. As the group remains highly active, security experts emphasize that timely patching of Microsoft Office remains the most effective defense against CVE-2026-21509. Organizations are urged to monitor for indicators of compromise related to MiniDoor and Covenant as the threat landscape continues to evolve.