A hacking group linked to the Russian government exploited a critical vulnerability in Microsoft Office to attack diplomatic and transportation agencies in 9 countries, mostly in Eastern Europe.
A hacking group linked to the Russian government exploited a critical vulnerability in Microsoft Office to attack diplomatic and transportation agencies in 9 countries, mostly in Eastern Europe.
A hacking group known as APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy exploited the CVE-2026-21509 vulnerability less than 48 hours after Microsoft released an urgent unscheduled security update late last month. According to researchers, by reverse engineering the patch, the group members created a sophisticated exploit that installed one of two previously unknown backdoors, writes Ars Technica.
The entire campaign was designed to remain undetectable to endpoint security. In addition to their novelty, the exploits and payload were encrypted and executed directly in RAM, making it difficult to detect the threat. The initial infection vector was previously compromised government accounts from several countries, which were likely known to the targeted email accounts. The command and control channels were hosted on legitimate cloud services that are typically whitelisted in secure networks.
“The exploitation of CVE-2026-21509 demonstrates how quickly state-affiliated groups are able to weaponize new vulnerabilities, narrowing the window of opportunity for protecting critical systems,” researchers at cybersecurity firm Trellix noted. “The modular infection chain of this campaign—from initial phishing to loading a backdoor into memory and installing secondary implants—was carefully designed to use trusted channels (HTTPS traffic to cloud services, legitimate mail streams) and fileless methods to remain invisible in plain sight.”
The 72-hour phishing campaign began on January 28 and delivered at least 29 different decoy emails to organizations in nine countries, mostly in Eastern Europe. Trellix identified eight of them: Poland, Slovenia, Turkey, Greece, UAE, Ukraine, Romania and Bolivia. The targeted organizations were ministries of defense (40%), transport/logistics operators (35%) and diplomatic institutions (25%).
The ultimate goal of the attack was to introduce BeardShell or NotDoor backdoors. With BeardShell, hackers gained full access to the system's data and established themselves in it by "injecting" their code into the Windows system process svchost.exe. This also opened the way for them to other computers on the organization's network. The virus worked extremely cleanly: it used .NET technology to run directly in memory, so it left no traces on the hard drive that cybersecurity experts could find during an inspection.
NotDoor was disguised as a VBA macro and was only installed after the exploit chain disabled Outlook's macro security controls. Once installed, the implant monitored email folders, including Inbox, Drafts, Spam, and RSS Feeds. It combined messages into a Windows .msg file, which was then sent to attacker-controlled accounts on the filen.io cloud service.
To bypass protections on privileged accounts designed to restrict access to classified dispatches and other confidential documents, the macro processed emails using the "AlreadyForwarded" custom property and set the "DeleteAfterSubmit" parameter to true to delete forwarded messages from the "Sent" folder.
Trellix researchers believe with a high degree of probability that APT28 is behind the attack. This opinion is shared by the Ukrainian center CERT-UA, where the campaign is being monitored under the name UAC-0001, which is a direct counterpart to the APT28 group.
“APT28 has a long history of conducting cyberespionage and influence operations,” Trellix notes. “The techniques used in this campaign—multi-stage malware, extensive obfuscation, cloud-based abuse, and email attacks to establish a persistent presence—suggest a well-resourced and sophisticated adversary that fits the profile of APT28. The toolkit and techniques also match the group’s ‘digital fingerprint.’”
