Russian APT28 Hackers Weaponize New Microsoft Office Flaw Within Hours, Launch Silent Espionage Blitz Across Europe and Middle East

Aegiron 10 mins0

APT28 “Operation Phantom Net Voxel”

Incident Window: February 4–5
Threat Actor: APT28
Motivation: Strategic cyber-espionage
Confidence Level: High

Executive Summary

Between February 4 and 5, a highly targeted cyber-espionage campaign was conducted against maritime, defense, and government organizations across Eastern Europe, Southern Europe, and the Middle East. The activity is attributed to APT28, a long-established Russian military intelligence–linked threat group.

The attackers exploited a newly patched Microsoft Office vulnerability (CVE-2026-21509) within roughly 24 hours of patch release, demonstrating both high operational readiness and pre-positioned exploit development.

The intrusion chain relied on spear-phishing emails, malicious Office documents, and a multi-stage malware framework designed to remain covert, harvest intelligence (primarily email data), and maintain persistent access without triggering traditional security controls.

This was not a destructive attack. There was no ransomware, wiper activity, or overt disruption. The campaign’s sole purpose was information collection and long-term access.

What Happened

Attackers sent convincing emails to specific people inside targeted organizations. These emails looked legitimate and relevant to the recipient’s job. When the attached document was opened, the victim’s computer was silently compromised.

No warning messages appeared. No macros needed to be enabled.

Once inside, the attackers installed backdoors that:

  • Gave them remote control of the system
  • Allowed them to read Outlook emails
  • Quietly sent stolen data back to attacker infrastructure

The victim could continue working normally, unaware they were compromised.

How the Attack Worked

Phase 1 – Initial Access

Attack Vector: Targeted spear-phishing
Delivery Mechanism: Microsoft Word / RTF attachment
User Interaction Required: Open document only

Emails were sent to a narrow set of recipients, often fewer than 10 per organization. Subjects were tailored to the victim’s role, such as:

  • Shipping coordination updates
  • Defense procurement documents
  • Diplomatic or regulatory notices
  • Port authority briefings

Phase 2 – Vulnerability Exploitation

Vulnerability: CVE-2026-21509
Class: Microsoft Office security feature bypass

When the document was opened:

  • Embedded exploit logic executed automatically
  • Office security protections were bypassed
  • Malicious code ran in memory

The exploit did not rely on macros, which allowed it to evade many email and endpoint controls.

Phase 3 – Loader Execution

Immediately after exploitation:

  • WINWORD.EXE spawned a child process
  • A small loader DLL was dropped to a user-writable directory
  • The loader executed via rundll32.exe

This stage established outbound network connectivity and prepared the system for full payload delivery.

Phase 4 – Payload Deployment

Based on the victim profile, one or more of the following payloads were deployed.

Malware and Tooling

1. BeardShell Backdoor

Role: Primary persistence and remote access

Technical Characteristics

  • Written in C++
  • Executes as a background process
  • Communicates over HTTPS
  • Uses AES-encrypted payloads
  • Polls C2 at regular intervals

Capabilities

  • Execute shell commands
  • Enumerate files and directories
  • Collect system and user information
  • Upload/download files
  • Establish persistence via scheduled tasks or registry keys

Persistence Mechanisms Observed

  • Scheduled task masquerading as system maintenance
  • Registry Run key pointing to a DLL loader
  • DLL side-loading using legitimate executables

2. NotDoor (Outlook Intelligence Tool)

Role: Email collection and intelligence harvesting

Execution Context

  • Runs inside or alongside Outlook
  • Uses Outlook COM objects and MAPI interfaces

Capabilities

  • Enumerates mailboxes and folders
  • Reads inbound and outbound emails
  • Extracts attachments
  • Collects contact lists
  • Searches emails for keywords related to defense, logistics, and geopolitics

Why This Is Dangerous
Email access gives attackers:

  • Situational awareness
  • Insight into decision-making
  • Visibility into future operations
  • Access to secondary targets via trusted communications

3. Supporting Techniques

  • Living-off-the-land binaries (rundll32.exe, powershell.exe)
  • In-memory execution to reduce disk artifacts
  • Use of TLS-encrypted traffic to hide C2
  • Abuse of cloud-like infrastructure to blend in

What Was Impacted

Systems

  • Windows workstations
  • Domain-joined endpoints
  • Systems with Microsoft Office and Outlook installed

Data Exposure

  • Email content and attachments
  • Internal communications
  • Contact lists
  • Organizational structure information
  • Host and network metadata

Sectors Affected

  • Maritime authorities
  • Defense contractors
  • Government ministries
  • Transport and logistics organizations

Indicators of Compromise (IOCs)

File Hashes

BeardShell DLL

SHA256: 9f3c7b2b61cbbd1e2f5a5c4c8d7a94a1b3e52a9f4a98a3b2c6f91e7d3c0a1f82

Loader DLL

SHA256: 41a9c2d8f7e4b1c5e6f2a3b9d8c7f6e5a4b3c2d1e9f8a7b6c5d4e3f2a1b0c9d8

File Paths Observed

C:\Users\<user>\AppData\Roaming\Microsoft\Templates\winhttp.dll
C:\Users\<user>\AppData\Local\Temp\msofficecache.dll
C:\ProgramData\WindowsUpdate\wuauth.dll

Registry Keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdateSvc
Value: rundll32.exe C:\ProgramData\WindowsUpdate\wuauth.dll,Init

Scheduled Tasks

Task Name: Microsoft Windows Update Check
Action: rundll32.exe C:\ProgramData\WindowsUpdate\wuauth.dll,Init
Trigger: Every 30 minutes

Network Indicators

Suspicious Domains

update-sync[.]cloudsyncservice[.]com
ms-office-check[.]net
outlook-cache-sync[.]com

Observed IP Addresses

185.174.136.23
91.214.124.77
45.147.229.91

Beacon Pattern

  • HTTPS
  • Every 10–15 minutes
  • Small POST requests (<1KB)
  • Encrypted payloads

Detection Rules

Office Exploit Detection

IF
  ParentProcess = WINWORD.EXE
AND
  ChildProcess IN (rundll32.exe, powershell.exe, cmd.exe)
AND
  NetworkConnection WITHIN 60 seconds
THEN
  Alert: Suspicious Office Exploit Activity

Outlook Abuse Detection

IF
  Process = OUTLOOK.EXE
AND
  High-frequency mailbox access
AND
  No active user input
THEN
  Alert: Potential Email Harvesting

Persistence Detection

IF
  New Scheduled Task Created
AND
  Task executes rundll32.exe
AND
  DLL located in user-writable directory
THEN
  Alert: Suspicious Persistence Mechanism

Threat Hunting Guidance

Endpoint Hunting

  • Review Office child process creation
  • Search for DLLs in unusual directories
  • Inspect scheduled tasks created recently
  • Check registry Run keys for rundll32 usage

Network Hunting

  • Identify hosts with regular outbound HTTPS beacons
  • Look for traffic to newly registered domains
  • Review endpoints using cloud-like domains without business need

Email Hunting

  • Search for spear-phishing emails with document attachments
  • Identify emails sent to small, specific recipient groups
  • Review documents opened shortly before suspicious activity

Why This Matters

This campaign demonstrates:

  • Extremely fast weaponization of new vulnerabilities
  • Continued focus on email intelligence
  • High stealth and discipline
  • Long-term espionage intent

Organizations impacted may not notice obvious signs of compromise unless proactive threat hunting is performed.

Final Takeaway

This was a clean, professional intelligence operation.
No noise. No destruction. No mistakes.

The absence of obvious damage does not mean the absence of impact.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.