News
Russian Hackers Continue Exploiting Microsoft Office Zero-Day After Emergency Patch
Microsoft issued an out-of-band security update on Jan. 26 to address CVE-2026-21509, a Microsoft Office vulnerability the company said was being actively exploited at the time of disclosure.
In the days that followed, security researchers observed additional exploitation activity linked to APT28, a Russia-aligned threat group also tracked as Fancy Bear. Researchers at Zscaler ThreatLabz said APT28 began leveraging the flaw on Jan. 29 in targeted attacks aimed at users in Ukraine, Slovakia and Romania. The activity was also observed by Ukraine’s Computer Emergency Response Team, which said email addresses associated with central executive authorities in Ukraine were among those targeted.
CVE-2026-21509 is classified as a security feature bypass vulnerability affecting Microsoft Office 2016, Office 2019 and Microsoft 365 Apps for Enterprise. According to Microsoft and multiple security vendors, the flaw allows attackers to bypass Object Linking and Embedding protections by exploiting how Office handles untrusted inputs when making security decisions.
“The issue stems from the application’s reliance on untrusted inputs when making security decisions,” Sophos said in a published analysis, noting that this behavior allows attackers to bypass built-in OLE security mitigations designed to reduce the risk of malicious embedded content.
Zscaler said the attacks relied on specially crafted Rich Text Format documents delivered through targeted phishing emails. The lures were written in English, Ukrainian, Slovak and Romanian and were designed to persuade recipients to open the malicious attachments. Once opened, the documents triggered the vulnerability and initiated the malware delivery chain.
The attack chain included two primary malware components. One, tracked as MiniDoor, was used to steal email data from Microsoft Outlook. The second, PixyNetLoader, was used to load a remote access payload based on the Covenant command-and-control framework, giving attackers persistent access to compromised systems.
Microsoft confirmed that CVE-2026-21509 was being exploited in the wild when it released the emergency patch, classifying it as a zero-day at the time of disclosure. The U.S. Cybersecurity and Infrastructure Security Agency subsequently added the flaw to its Known Exploited Vulnerabilities catalog and set a remediation deadline of Feb. 16 for federal civilian agencies.
Security researchers said the targeting, malware tooling and operational techniques observed in the campaign are consistent with previous APT28 espionage activity, which has historically focused on government, military and diplomatic organizations in Eastern Europe and other regions aligned with Russian strategic interests.
Exploitation of the vulnerability requires user interaction, specifically convincing a victim to open a malicious Office document. Microsoft said the Preview Pane is not an attack vector for this flaw, and simply previewing the document does not trigger exploitation.
For Office 2021 and later versions, Microsoft deployed service-side protections that take effect after Office applications are restarted. Organizations running older versions, including Office 2016 and Office 2019, must apply the relevant security updates or implement registry-based mitigations provided by Microsoft if patching is not immediately possible.
CERT-UA warned that exploitation activity involving CVE-2026-21509 is likely to continue as attackers bet on delayed patching and inconsistent mitigation across environments. The agency shared indicators of compromise and urged organizations to apply updates as soon as possible to reduce exposure.
Microsoft has directed administrators to review guidance published by the Microsoft Security Response Center for a complete list of affected products and recommended mitigations.