Listen to this Post

A New Cyber Offensive Unfolds in Eastern Europe
A newly disclosed Microsoft Office vulnerability has already been weaponized in the wild, and the attackers are no amateurs. The Russia-linked state-sponsored threat group APT28, also tracked as UAC-0001, has been attributed to an aggressive espionage campaign dubbed Operation Neusploit, targeting government and institutional users across Eastern Europe.
According to new findings from Zscaler ThreatLabz, the group moved with alarming speed, exploiting the flaw just three days after Microsoft publicly disclosed it. The campaign primarily focused on Ukraine, Slovakia, and Romania, using carefully localized social engineering tactics and technically sophisticated malware chains designed to evade detection and persist long-term.
This operation highlights not only APT28’s operational maturity, but also the shrinking window defenders now face between vulnerability disclosure and real-world exploitation.
the Original Report
The threat actor behind Operation Neusploit is APT28, a Russia-aligned hacking group with a long history of cyber espionage. Zscaler ThreatLabz observed the group actively exploiting a newly disclosed Microsoft Office vulnerability, tracked as CVE-2026-21509, on January 29, 2026. Microsoft had revealed the flaw only days earlier, underscoring how rapidly advanced actors can operationalize public disclosures.
CVE-2026-21509 is classified as a security feature bypass in Microsoft Office with a CVSS score of 7.8. By sending specially crafted Office files, attackers can trigger malicious behavior without requiring advanced user interaction. In this campaign, APT28 relied heavily on social engineering, distributing malicious RTF files accompanied by lures written in English as well as Romanian, Slovak, and Ukrainian, depending on the target region.
To further reduce exposure, the attackers implemented server-side evasion techniques. The malicious payloads were delivered only when requests originated from specific geographic locations and included the correct User-Agent headers. This selective delivery significantly limited detection by security researchers and automated sandboxes.
Once exploited, the vulnerability enabled two distinct attack paths. The first involved a dropper that delivered MiniDoor, a C++-based Outlook email stealer. MiniDoor harvested emails from multiple folders, including Inbox, Junk, and Drafts, and exfiltrated them to attacker-controlled email addresses hosted on Outlook and Proton Mail. Researchers assess MiniDoor to be a stripped-down evolution of NotDoor (GONEPOSTAL), a malware family documented in late 2025.
The second and more complex path leveraged a dropper known as PixyNetLoader. This loader initiated a multi-stage infection chain designed for stealth and persistence. PixyNetLoader embedded additional payloads within itself and established persistence using COM object hijacking. Among the extracted components were a shellcode loader named EhStoreShell.dll and a PNG image file used as a covert payload container.
The loader extracted shellcode hidden within the image using steganography, executing it only if specific conditions were met. The malware checked whether it was running in an analysis environment and verified that the launching process was explorer.exe. If these conditions failed, the malicious logic remained dormant.
Ultimately, the shellcode loaded a .NET-based Covenant Grunt implant, connecting the infected system to a command-and-control infrastructure powered by the open-source Covenant framework. This technique mirrors earlier APT28 activity documented in September 2025 during Operation Phantom Net Voxel, though the delivery mechanism has evolved from VBA macros to DLL-based loaders.
Parallel reporting from CERT-UA confirmed similar exploitation attempts using malicious Word documents against more than 60 email addresses linked to Ukrainian government entities. Metadata showed some lure documents were created as early as January 27, 2026. Opening these documents triggered WebDAV connections to external resources, ultimately leading to the same PixyNetLoader infection chain and Covenant deployment.
What Undercode Say:
Strategic Implications of Operation Neusploit
Operation Neusploit is less about technical novelty and more about operational efficiency. APT28 did not wait for a patch cycle, widespread awareness, or mass exploitation opportunities. Instead, it capitalized on the brief window between disclosure and remediation, a tactic increasingly favored by state-sponsored actors who prioritize precision over scale.
The use of CVE-2026-21509 demonstrates a clear understanding of defender behavior. Once a vulnerability is publicly disclosed, security teams rush to assess impact, but patch deployment—especially across government environments—often lags behind. APT28 exploited this gap with near-perfect timing.
Equally notable is the group’s continued refinement of stealth techniques. Server-side filtering based on geography and User-Agent strings is no longer exotic, but its consistent use shows discipline. This approach minimizes exposure to researchers and reduces the likelihood of early detection, allowing campaigns to run longer and harvest more intelligence.
The dual attack-chain design also reflects strategic thinking. MiniDoor serves fast, targeted intelligence collection through email theft, while PixyNetLoader establishes a deeper, longer-term foothold via Covenant. This layered approach allows operators to balance immediate intelligence gains with persistent access.
From a tooling perspective, the migration away from VBA macros toward DLL-based loaders is significant. Macros have become a high-signal indicator for defenders, often blocked by default. DLL proxying and COM hijacking, by contrast, blend more effectively into legitimate Windows behavior, especially in enterprise environments.
The reuse and evolution of techniques from Operation Phantom Net Voxel further reinforce that APT28 operates on a modular development model. Successful components are not discarded; they are refined, repackaged, and redeployed with minor variations. This continuity makes attribution easier for analysts but also increases the reliability of the attack infrastructure for the adversary.
The targeting focus on Ukraine and neighboring states aligns with broader geopolitical realities. Cyber espionage here is not opportunistic—it is strategic, persistent, and closely aligned with state intelligence priorities. The involvement of central executive authorities, as reported by CERT-UA, suggests information-gathering rather than disruption.
Perhaps the most concerning aspect is how “normal” this operation looks by modern standards. There are no flashy zero-click exploits or exotic malware strains. Instead, Operation Neusploit succeeds through timing, discipline, and incremental technical improvement. That combination is far harder to defend against than novelty alone.
For defenders, this campaign is a reminder that disclosure does not equal safety. The moment a vulnerability becomes public, the clock starts ticking—not just for patching, but for active exploitation by highly capable adversaries.
🔍 Fact Checker Results
✅ APT28 has a documented history of targeting Eastern European government entities.
✅ CVE-2026-21509 is confirmed as a Microsoft Office security feature bypass exploited in the wild.
❌ No evidence currently suggests the campaign relied on ransomware or financially motivated payloads.
📊 Prediction
APT28 will likely continue exploiting CVE-2026-21509 until patch adoption reaches critical mass, while simultaneously adapting the PixyNetLoader chain for future Office or Windows vulnerabilities. Similar DLL-based loaders and Covenant implants are expected to reappear in new campaigns targeting politically sensitive regions throughout 2026.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




