Listen to this Post
In early 2026, a new wave of cyberattacks has targeted Central and Eastern Europe, leveraging a fresh Microsoft zero-day vulnerability to stealthily steal emails. The Russia-linked hacker group Fancy Bear, also known as APT28, has been identified as behind this operation, now dubbed Operation Neusploit. This campaign highlights the persistent danger posed by state-sponsored cyberespionage and the ingenuity of modern attack techniques.
Operation Neusploit: The Attack Uncovered
Security researchers at Zscaler ThreatLabz detected the campaign and traced it with high confidence to Fancy Bear. The attackers focus on users in Ukraine, Slovakia, and Romania, sending phishing emails in English, Romanian, Slovak, and Ukrainian. Each email carries a booby-trapped RTF document exploiting a recently discovered zero-day, CVE-2026-21509.
Microsoft issued an emergency patch on January 26, 2026, but within days—by January 29—hackers were actively exploiting the flaw. The attack’s ultimate goal is to gain stealthy access to Outlook emails and implant backdoors without alerting users.
When a victim opens a malicious RTF file, the flaw allows attackers to execute code on the victim’s machine. This triggers a chain of infections:
The exploit downloads a malicious DLL dropper from the attacker’s server, which only responds to requests from targeted countries with specific browser headers.
Two main malware variants are used: MiniDoor and PixyNetLoader.
MiniDoor is a lightweight C++ implant that manipulates Outlook’s VBA projects, modifies registry settings, and hides in the startup folder. It monitors new emails and login activity, collecting emails from Inbox and Drafts, bundling them, and silently forwarding them to attacker-controlled addresses—without leaving traces in the Sent folder.
PixyNetLoader takes a different approach. It decrypts payloads hidden in images using steganography, hijacks a legitimate Windows COM object, and injects malicious code into explorer.exe. Its payload includes EhStoreShell.dll, which performs sandbox checks and launches a Covenant Grunt implant. This .NET-based implant communicates with attackers using XOR-encoded Base64 commands via the Filen API.
Fancy Bear: A Long History of Stealth
Fancy Bear has been active since 2007, reportedly tied to Russia’s GRU Unit 26165, with a focus on governments, militaries, NATO allies, and political targets. Previous campaigns have leveraged X-Agent, Zebrocy, and multiple zero-day exploits in Office, Flash, and other software. Operation Neusploit shows clear lineage with past operations through techniques like COM hijacking, PNG steganography, and MiniDoor echoes.
Immediate Defense Steps
Patch immediately: Install Microsoft’s CVE-2026-21509 update.
Email vigilance: Avoid opening RTF files from unknown or suspicious senders.
Monitor endpoints: Tools like PolySwarm can detect Indicators of Compromise (IOCs), Filen API abuse, and rogue registry changes in Outlook.
What Undercode Say:
Operation Neusploit is a textbook example of modern cyberespionage, combining zero-day exploitation, multi-stage payloads, and country-specific targeting. Fancy Bear’s ability to pivot quickly from public patch release to active exploitation demonstrates a high level of operational sophistication.
The dual-dropper strategy—MiniDoor for direct email exfiltration and PixyNetLoader for stealthy payload delivery—shows the attackers’ intent to cover multiple attack surfaces. By hiding payloads in legitimate structures like COM objects and PNG images, attackers evade traditional antivirus and sandbox detections.
The use of Covenant Grunt, a publicly available open-source C2 framework, reflects a growing trend of APTs leveraging open-source tools to reduce development costs while maintaining high efficacy. This also complicates attribution, as the same tools are accessible to multiple threat actors.
Targeted country checks and browser-header validation indicate a surgical approach, reducing exposure to non-targeted victims and lowering the chance of early discovery. Combined with XOR encryption and Base64 obfuscation, the campaign demonstrates advanced operational security, making it harder for defenders to intercept communications.
For organizations in Europe and beyond, the campaign highlights three key takeaways:
Patch Management is Critical: Zero-day exploitation is nearly guaranteed once a patch is announced publicly. Timely updates save organizations from high-impact breaches.
Email Hygiene Matters: Even sophisticated malware relies on human error. Training staff to identify phishing attempts remains essential.
Proactive Threat Hunting: Monitoring endpoints for abnormal DLL activity, registry changes, or network anomalies is vital to catch stealthy intrusions.
Fancy Bear’s campaign also signals a geopolitical dimension: Central and Eastern Europe remain prime targets due to ongoing regional conflicts and intelligence value. This operation will likely serve as a model for future campaigns, with evolving payload obfuscation and exfiltration tactics.
Fact Checker Results:
✅ Zscaler ThreatLabz confirmed Fancy Bear (APT28) as the actor.
✅ Microsoft released the emergency patch for CVE-2026-21509 on January 26, 2026.
❌ No public evidence yet of widespread compromise outside Ukraine, Slovakia, and Romania.
Prediction:
⚡ Expect rapid evolution of RTF-based exploits targeting Europe and possibly NATO-related institutions. Attackers will likely integrate AI-assisted reconnaissance to select high-value victims and refine payload delivery. Organizations that delay patching and ignore endpoint monitoring are at significant risk of stealth email exfiltration within the next six months.
If you want, I can also create a visually structured attack flow diagram for Operation Neusploit to make the technical details instantly clear. It would be perfect for blogs or security briefings. Do you want me to do that next?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
