In late January 2026, researchers uncovered a sophisticated cyber-espionage campaign exploiting a newly disclosed Microsoft Office vulnerability — tracked as CVE-2026-21509 — in a multi-stage offensive dubbed Operation Neusploit.

The campaign has been attributed with high confidence to the Russia-linked advanced persistent threat group APT28, also known in security circles as Fancy Bear. This group has a long history of targeting governmental, diplomatic, and defense-related organizations across Europe and beyond.

Exploiting a Zero-Day in Microsoft Office

CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office that enables threat actors to bypass core protections in the COM/OLE framework used when parsing document files. Microsoft issued an out-of-band emergency patch for this flaw on January 26, 2026, after reports of active exploitation in the wild.

In Operation Neusploit, APT28 weaponized this vulnerability by embedding malicious exploit code in specially crafted Rich Text Format (RTF) files. These documents were sent to targets via spear-phishing emails and designed to trigger the vulnerability when opened in Microsoft Office.

Geographically Targeted Social Engineering

What sets this campaign apart is the level of localization. Researchers observed that the phishing lures were tailored not only in English but also in Romanian, Slovak, and Ukrainian, indicating a focus on users in Central and Eastern European countries — including Ukraine, Slovakia, and Romania.

In addition to language tailoring, the APT28 infrastructure used server-side evasion techniques, responding with malicious payloads only to requests originating from specific geographic regions and when the client presented a legitimate-looking User-Agent header.

Infection Chain and Malware Payloads

Once the RTF exploit successfully triggered the vulnerability, it connected to the attacker’s infrastructure to download a malicious DLL dropper. There were two distinct variants of this dropper, each deploying different follow-on tools:

1. MiniDoor — Outlook Email Stealer

The first dropper variant installs a component called MiniDoor, a 64-bit DLL implemented in C++. Unlike heavily obfuscated malware, this DLL contains readable code with simple string encryption routines. Its primary objective is to focus on email harvesting by interacting with Microsoft Outlook.

MiniDoor implements its functionality within an exported function (UIClassRegister) and is designed to extract and exfiltrate email content back to the threat actor.

2. PixyNetLoader and Covenant Grunt Implant

The second dropper variant deploys PixyNetLoader, which acts as a loader for a Covenant Grunt implant. Covenant is an open-source post-exploitation framework frequently used by attackers for command-and-control (C2) communications and further payload execution.

Together, these components form a multi-stage execution chain: exploit → dropper → loader → final payload. This modular design helps the attackers evade detection and adapt components independently.

Tactics, Techniques, and Procedures (TTPs)

APT28’s use of social engineering, regional filters, and custom infrastructure demonstrates an evolution in its TTPs. Notably:

• Use of localized phishing lures to increase engagement likelihood.
• Geofencing and User-Agent filtering to avoid detection by non-targeted users and researchers.
• Modular payload delivery, separating exploit delivery from final capabilities.

These behaviors align with APT28’s historical approach to covert intelligence operations, combining stealth with strategic targeting.

Mitigation and Recommendations

We emphasize that organizations should prioritize the installation of the January 2026 out-of-band Microsoft security update to remediate CVE-2026-21509 and prevent exploitation. In addition, enterprises should maintain robust email security practices, such as:

• Filtering out malicious attachments and RTF exploit payloads.
• Training users to recognize phishing attempts, especially those crafted in local languages.
• Employing endpoint detection and response (EDR) solutions capable of disrupting modular post-exploitation chains.

---

In summary, It underscores the dynamic nature of modern cyber threats, where skilled threat actors such as APT28 rapidly turn emerging vulnerabilities into operational campaigns. The combination of localized social engineering, targeted exploitation of Microsoft Office, and sophisticated multi-stage malware delivery highlights the importance of timely patching and layered defenses against nation-state adversaries.