Article Details

Russia-linked APT28 attackers already abusing new Microsoft Office zero-day. Ukraine’s CERT says the bug went from disclosure to active exploitation in days. Russia-linked attackers are already exploiting Microsoft's latest Office zero-day, with Ukraine's national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU. In an alert published on Sunday, CERT-UA says the activity is being driven by UAC-0001, better known as "APT28" or "Fancy Bear", and hinges on CVE-2026-21509, a security feature bypass bug in Microsoft Office that Microsoft disclosed last week alongside a warning that attackers were already exploiting it in the wild. According to CERT-UA, the first weaponized document surfaced just days after Microsoft sounded the alarm about the flaw. A file titled "Consultation_Topics_Ukraine(Final).doc" appeared publicly on January 29 and was themed around EU discussions on Ukraine. File metadata shows it was created on January 27 — the day after Microsoft published details of the flaw — a turnaround time that suggests the exploit chain was already prepared and waiting. That same day, Ukrainian incident responders were alerted to a parallel phishing campaign impersonating official correspondence from the Ukrhydrometeorological Center. More than 60 recipients, mostly across central government bodies, received emails carrying a malicious DOC attachment. Opening the file in Office quietly initiates a WebDAV connection to an external server, downloads a shortcut file, and uses it as a launchpad for further malware. From there, the attackers drop a DLL masquerading as a legitimate Windows component and stash shellcode inside what appears to be a harmless image file. They then establish persistence via COM hijacking and a scheduled task that restarts explorer.exe, ensuring the malicious code is reloaded. Most users would notice little out of the ordinary, but the attackers now have a foothold they can return to. The end result is the deployment of the COVENANT post-exploitation framework, and the attackers route their traffic through a legitimate cloud storage service, which helps it blend in as everyday noise rather than something obviously hostile. CERT-UA has advised defenders to monitor Filen-related traffic closely or block it outright where possible. The campaign has not been confined to Ukraine. In the final days of January, CERT-UA identified three more malicious documents using the same exploit chain and targeting organizations in EU member states. In one case, the domain serving the payload was registered on the very day it was used, underlining how fast the attackers are cycling through infrastructure. Microsoft now has patches out, including for older Office builds that initially sat in limbo, but CERT-UA is still not optimistic about how quickly they'll land.  "It is obvious that in the near future, including due to the inertia of the process or impossibility of users updating the Microsoft Office suite and/or using recommended protection mechanisms, the number of cyberattacks using the described vulnerability will begin to increase," CERT-UA warned.