Listen to this Post

A high-stakes cyber espionage campaign is actively exploiting a critical Microsoft Office vulnerability, putting Ukrainian government agencies and European Union institutions at risk. Security researchers have confirmed that the threat group UAC-0001—also known as APT28 and linked to Russian military intelligence—deployed sophisticated malware just hours after Microsoft publicly disclosed the flaw. This rapidly weaponized zero-day, CVE-2026-21509, underscores the increasing speed and precision with which state-linked actors are executing targeted cyberattacks.
Zero-Day Exploitation Within Hours
Microsoft officially disclosed CVE-2026-21509 on January 26, 2026, warning that the vulnerability affected multiple Office product versions and was actively exploited in the wild. Analysts from CERT-UA quickly identified the first malicious document on January 29, 2026, revealing that attackers developed fully functional exploits within 72 hours of the advisory.
The earliest weaponized file, named “Consultation_Topics_Ukraine(Final).doc,” had metadata showing it was created on January 27, 2026, less than 24 hours after Microsoft’s disclosure. The malicious DOC files exploit a vulnerability that allows them to connect to attacker-controlled servers via the WebDAV protocol, automatically downloading and executing additional malware components when opened in unpatched Office installations.
Malicious Payloads and Persistence Mechanisms
Once executed, the attack delivers multiple payloads, including a DLL disguised as “EhStoreShell.dll” (pretending to be an Enhanced Storage Shell Extension) and an image file “SplashScreen.png” containing embedded shellcode. The campaign uses COM hijacking to modify registry values under CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} and creates a scheduled task named “OneDriveHealth” to maintain persistence. This ensures the malware loads automatically whenever Windows Explorer restarts, ultimately deploying the COVENANT post-exploitation framework.
Notably, attackers leverage legitimate FileCloud storage infrastructure for command-and-control communications, making detection more difficult.
Targeted Campaign Against Government Institutions
On January 29, 2026, phishing emails carrying the malicious document “BULLETEN_H.doc” were sent to over 60 email addresses of Ukrainian central executive bodies, disguised as correspondence from the Ukrhydrometeorological Center. Further investigations revealed three additional exploit documents aimed at EU institutions. One domain used in these attacks was registered on the same day it became operational—January 30, 2026—highlighting the speed and efficiency of this campaign.
CVE Identifier Affected Products Vulnerability Type CVSS Score Exploitation Status
CVE-2026-21509 Microsoft Office Products Remote Code Execution Not Available Actively Exploited
Security authorities recommend that organizations immediately implement Microsoft’s registry-based mitigations, disable or monitor connections to FileCloud infrastructure (.filen.net, .filen.io, IPs 146.0.41.x), and ensure Office updates are deployed across all endpoints. Enhanced monitoring of WebDAV connections and scheduled tasks is critical to identifying potential compromises.
What Undercode Say:
The CVE-2026-21509 exploitation campaign represents a textbook example of modern, state-backed cyber operations: speed, precision, and operational stealth. The fact that weaponized documents appeared within 24 hours of public disclosure indicates an alarming level of preparedness by UAC-0001/APT28, which likely maintains a repository of pre-developed exploit templates for rapid deployment.
This attack highlights several key trends in cyber espionage:
Rapid Exploit Weaponization: The 72-hour window between disclosure and active attacks demonstrates a new standard in threat actor agility. Organizations must assume vulnerabilities are weaponized almost immediately.
Use of Legitimate Infrastructure: By leveraging FileCloud storage services, attackers obscure traffic and evade conventional detection, indicating an evolution in operational tradecraft.
Targeting Government Entities: The campaign’s focus on high-value government email addresses underscores the geopolitical motives behind APT28’s operations.
Sophisticated Persistence Techniques: COM hijacking and scheduled task creation for malware persistence show a focus on long-term access rather than quick disruption.
Multi-Stage Payload Deployment: Deploying DLLs disguised as system files and shellcode within image files indicates a layered approach designed to bypass antivirus solutions and endpoint detection systems.
For IT teams, this means the traditional patch-and-wait approach is no longer sufficient. Proactive monitoring, threat hunting for anomalous COM registrations, WebDAV activity, and unusual scheduled tasks should become part of everyday defensive routines. Moreover, organizations should review third-party storage integrations, especially cloud services, for potential abuse by threat actors.
APT28’s strategy also reveals how state-backed actors exploit the window between disclosure and patch deployment—a crucial vulnerability for enterprises with slow update cycles. The campaign is likely to expand, targeting not only Ukraine and EU institutions but also international organizations with interlinked cloud services.
Fact Checker Results:
✅ Microsoft officially disclosed CVE-2026-21509 on January 26, 2026.
✅ CERT-UA confirmed the first weaponized Office document appeared on January 29, 2026.
❌ No CVSS score has been officially published yet for this vulnerability.
Prediction:
⚠️ Expect rapid adoption of CVE-2026-21509 exploits across multiple sectors, especially government and critical infrastructure.
⚠️ Attackers will increasingly use legitimate cloud services to mask command-and-control traffic.
⚠️ Organizations with slow patch cycles are likely to experience the highest risk of compromise in the coming months.
This version blends technical precision with a narrative flow, clearly highlighting threat urgency, attack mechanics, and actionable insights for security teams.
If you want, I can also create a visual attack timeline diagram showing how the weaponized exploit spread from January 26–30, 2026—it would make this report even more engaging for readers. Do you want me to do that next?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




