CERT Warns of Active CVE-2026-21509 Exploitation as APT28 Deploys COVENANT via Malicious Microsoft Office Documents

CyberDefender 10 mins0

On January 26, 2026, Microsoft disclosed a critical vulnerability in Microsoft Office products, assigned identifier CVE-2026-21509, and noted evidence of active exploitation in the wild.

Subsequent monitoring confirmed the rapid weaponization of this vulnerability and its use in targeted phishing campaigns against government institutions in Ukraine and EU member states. Malicious documents exploiting CVE-2026-21509 were observed within 24–72 hours of public disclosure.

The attacks result in the deployment of the COVENANT command-and-control framework and rely on COM hijacking, scheduled task persistence, and abuse of legitimate Filen cloud storage infrastructure for command-and-control communications.

Timeline of Observed Activity

  • 2026-01-26 – Microsoft publishes advisory for CVE-2026-21509 and confirms active exploitation.
  • 2026-01-27 07:43:00 (UTC) – Malicious document Consultation_Topics_Ukraine (Final).doc created (per metadata).
  • 2026-01-29 – Public availability of Consultation_Topics_Ukraine (Final).doc containing CVE-2026-21509 exploit.
  • 2026-01-29 – Distribution of phishing emails allegedly on behalf of the Ukrhydrometeorological Center with attachment BULLETEN_H.doc to more than 60 recipients.
  • 2026-01-30 – Additional exploit documents detected targeting EU organizations; at least one malicious domain registered the same day it was used.

Attack Vector

The primary infection vector is spear-phishing emails containing malicious Microsoft Word documents exploiting CVE-2026-21509.

When a victim opens the document in Microsoft Office:

  1. The document initiates a connection to an external server via WebDAV.
  2. A shortcut file (LNK) is downloaded.
  3. The LNK executes embedded code that downloads and launches a secondary executable.

Technical Analysis

Post-Exploitation Activity

Successful execution leads to the following actions on the compromised host:

  • Creation of EhStoreShell.dll, masquerading as Enhanced Storage Shell Extension
  • Dropping of SplashScreen.png, containing embedded shellcode
  • Modification of Windows Registry values for
    CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}
    to implement COM hijacking
  • Creation of a scheduled task named OneDriveHealth

Persistence and Execution Chain

The OneDriveHealth scheduled task:

  • Terminates and restarts explorer.exe
  • Forces the loading of the hijacked COM object
  • Causes EhStoreShell.dll to be loaded by explorer.exe
  • Executes shellcode embedded in SplashScreen.png
  • Launches the COVENANT framework

Command and Control Infrastructure

The deployed COVENANT implant uses legitimate Filen cloud storage infrastructure for command-and-control communications, specifically:

  • filen.io and multiple filen.net subdomains
  • IP addresses within the 146.0.41.0/24 range

This approach complicates detection due to the use of trusted cloud services.

Attribution

Based on:

  • Tooling (COVENANT)
  • Infrastructure reuse
  • Tactics, techniques, and procedures (TTPs)

The activity is assessed with high confidence to be associated with UAC-0001 (APT28).

Risk Assessment

Given:

  • Public availability of exploit code
  • Rapid weaponization post-disclosure
  • Delayed patching and mitigation in many environments

An increase in exploitation attempts is expected in the near term, particularly against government, diplomatic, and critical infrastructure organizations.

Recommendations

Immediate Actions

  • Apply Microsoft-recommended mitigations for CVE-2026-21509 without delay.
  • Implement required Windows Registry hardening measures as outlined in Microsoft’s advisory.
  • Block or restrict WebDAV-based external connections where not operationally required.

Network-Level Measures

  • Block or monitor connections to Filen cloud infrastructure listed in the IOC section.
  • Apply enhanced monitoring for outbound SMB/WebDAV traffic.

Detection and Response

  • Hunt for indicators listed below.
  • Monitor for creation or execution of the OneDriveHealth scheduled task.
  • Inspect registry changes related to the specified CLSID.

Organizations integrated with national cyber incident response systems or operating under electronic communications service providers connected to the State Cyber Protection Center of the State Special Communications Service receive automated protective measures.

Indicators of Compromise (IOCs)

Files

7c396677848776f9824ebe408bbba943
c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f
BULLETEN_H.doc

d8e880975ab01c745386663409a9d3aa
b2e771cbfa0a74d0774db162d28c1eecd3a7cb384dfe97522e9baabd1c04d304
document.doc.LnK

744bbe8d7c3d0421fa0deb582481f5ba
8c1dc9732884c6078b23953b78314a8d0d8b8d9fe42e5f97a7cd09b8ace943a9
sd

4423b8f3456e54eb48dfbde0b4c7984b
52b6fb40e7efb09c2bebe8550178e7e30009600bdedd1acae085d753761b7598
EhStoreShell.dll

418dc7365e78f79ef7dfcfbfe1bc8b0e
c4389cc34b672c4f885547f413bf38575e6ee2b23a0ddfdd306a69c1775db6fc
SplashScreen.png

331e055e6a519d443233bd740dbfe8ee
495cf3fd22d4fc2c6c86b689b68141ac7d0130b0bb5cbc834ef59275132ee5c2
SplashScreen_shellcode.bin

6f528ad405bffa4a8c2f61b1fa2172fd
40c2e559992a7f595c593b419930a3f216516c3042ad86fb985348d53b6e01b9
covenant.dll

ee0b44346db028a621d1dec99f429823
9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8
office.xml

9.2 Network

(smb)://freefoodaid[.]com/documents/template_2_2.doc
(smb)://wellnesscaremed[.]com/davwwwroot/buch/Downloads/blank.doc
(smb)://wellnesscaremed[.]com/davwwwroot/venezia/Favorites/blank.doc
(smb)://wellnessmedcare[.]org@ssl/cz/Downloads/blank.doc
(smb)://wellnessmedcare[.]org@ssl/pol/Downloads/blank.doc

hXXp://freefoodaid[.]com/davwwwroot/2_2.lNk?init=
hXXp://freefoodaid[.]com/documents/2_2.lNk?init=
hXXps://wellnesscaremed[.]com/buch/Downloads/document.doc.LnK?init=
hXXp://wellnesscaremed[.]com/buch/Downloads/document.doc.LnK?init=
hXXp://wellnesscaremed[.]com/venezia/Favorites/document.doc.LnK?init=
hXXp://wellnesscaremed[.]com/venezia/d/sd
hXXps://wellnessmedcare[.]org/davwwwroot/cz/Downloads/document.LnK?init=
hXXp://wellnessmedcare[.]org/davwwwroot/cz/Downloads/document.LnK?init=
hXXps://wellnessmedcare[.]org/davwwwroot/pol/Downloads/document.LnK?init=
hXXp://wellnessmedcare[.]org/davwwwroot/pol/Downloads/document.LnK?init=

9.3 Filen Infrastructure

*[.]filen[.]net
*[.]filen-1[.]net
*[.]filen-2[.]net
*[.]filen-3[.]net
*[.]filen-4[.]net
*[.]filen-5[.]net
*[.]filen-6[.]net
*[.]filen[.]io
*[.]filen[.]dev

146[.]0[.]41[.]204
146[.]0[.]41[.]205
146[.]0[.]41[.]206
146[.]0[.]41[.]207
146[.]0[.]41[.]208
146[.]0[.]41[.]231
146[.]0[.]41[.]232
146[.]0[.]41[.]233
146[.]0[.]41[.]234

9.4 Host-Based Artifacts

%PROGRAMDATA%\Microsoft OneDrive\setup\Cache\SplashScreen.png
%PROGRAMDATA%\USOPublic\Data\User\EhStoreShell.dll
%TMP%\Diagnostics\office.xml

HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32\(Default)
HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32\ThreadingModel

schtasks /delete /f /tn OneDriveHealth
schtasks.exe /Create /tn "OneDriveHealth" /XML "%TMP%\Diagnostics\office.xml"
start explorer >nul 2>&1
taskkill /f /IM explorer.exe >nul 2>&1

CyberDefender