Russian hackers are leveraging a Microsoft Office flaw to steal emails and deliver malware.
Key Takeaways:
Russian-hackers are exploiting a high-severity vulnerability that is affecting multiple versions of Microsoft Office. This security flaw could allow hackers to steal emails and deploy malicious payloads against organizations in Central and Eastern Europe.
Specifically, CVE‑2026‑21509 is a security feature bypass vulnerability in Microsoft Office, which is triggered when victims open specially crafted RTF documents. It could allow malicious code to execute without relying on traditional macro prompts, which helps the attack evade user suspicion. Microsoft has released an out-of-band patch to address this flaw on January 26. However, hackers were observed exploiting the vulnerability in real-world attacks just days later.
According to Zscaler researchers, the attack chain in Operation Neusploit begins when Russia‑linked threat group (known as APT28) victims open a carefully crafted RTF document that exploits the Microsoft Office security feature bypass vulnerability. Once exploited, the document retrieves a malicious dropper DLL from the attacker’s infrastructure, which selectively delivers one of two payloads based on server‑side checks.
One path installs MiniDoor, which is a lightweight Outlook‑focused tool that covertly steals and forwards user emails. Moreover, the other deploys PixyNetLoader, which is a more advanced loader that establishes persistence through COM hijacking, extracts shellcode hidden inside a PNG image using steganography, and launches a Covenant Grunt implant to give attackers long‑term, remote control of the compromised system.
Operation Neusploit primarily targeted Central and Eastern European countries, including Ukraine, Slovakia, and Romania. The attackers used localized phishing lures, written in both English and regional languages, to increase the likelihood that victims would open the malicious documents.
Organizations can reduce the risk posed by attacks by prioritizing rapid patch management, particularly for widely used applications such as Microsoft Office. Security teams should ensure updates are deployed as quickly as possible and confirm that vulnerable Office versions are fully remediated across the environment.
It’s highly recommended that organizations strengthen email and document security controls, including sandboxing Office files, disabling unnecessary RTF handling, and monitoring for suspicious WebDAV or DLL download activity linked to document execution.
Additionally, security teams must adopt a defense‑in‑depth approach focused on early detection and post‑exploitation prevention. This includes monitoring for abnormal Outlook behavior, detecting persistence mechanisms like COM object hijacking, and flagging steganography‑based payload delivery that hides shellcode inside image files.
Lastly, employees should be trained to treat unsolicited documents with caution, especially those using localized or topical lures. Finally, security teams should incorporate the published indicators of compromise and TTPs associated with APT28 into their detection and response workflows to improve resilience against similar campaigns in the future.