New findings from Akamai reveal that a recently disclosed security flaw patched by Microsoft may have been exploited by a Russian-linked state-sponsored threat actor known as APT28.
The vulnerability in question is CVE-2026-21513 (CVSS score: 8.8), a high-severity security feature bypass affecting the MSHTML framework.
“A failure in the MSHTML framework’s protection mechanisms could allow an unauthorized attacker to bypass security features via the network,” Microsoft wrote in its advisory for the flaw. This issue was fixed by the Windows manufacturer as part of the February 2026 Patch Tuesday update.
However, the tech giant also noted that this vulnerability was exploited as a zero-day exploit in real-life attacks, and acknowledged that Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group (GTIG) reported this vulnerability.
In a hypothetical attack scenario, an attacker could exploit the vulnerability by persuading a victim to open a malicious HTML or shortcut (LNK) file delivered as a link or email attachment.
Microsoft notes that when a specially crafted file is opened, it manipulates browser and Windows shell processing and causes its contents to be executed by the operating system. This could allow an attacker to bypass security features and potentially result in code execution.
Although the company has not publicly released details about its zero-day exploit efforts, Akamai said it has identified malicious artifacts related to APT28-linked infrastructure that were uploaded to VirusTotal on January 30, 2026.
It is worth noting that this sample was reported by the Computer Emergency Response Team of Ukraine (CERT-UA) early last month in connection with the APT28 attack that exploited another security flaw in Microsoft Office (CVE-2026-21509, CVSS score: 7.8).
The web infrastructure company said CVE-2026-21513 is rooted in logic within ieframe.dll that handles hyperlink navigation and is the result of insufficient validation of the target URL, allowing attacker-controlled input to reach the code path that calls ShellExecuteExW. This allows local or remote resources to run outside the intended browser security context.
“The payload contains a specially crafted Windows shortcut (LNK) that embeds an HTML file immediately after the standard LNK structure,” said security researcher Maor Dahan. ‘LNK file initiates communication with domain Wellnesscaremed[.]com is attributed to APT28 and is used extensively in multi-stage payloads in campaigns. This exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries. ”
Akamai noted that this technique allows attackers to bypass Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC), leading to security context downgrades and ultimately facilitating the execution of malicious code outside of the browser sandbox via ShellExecuteExW.
“Although the observed campaign leverages a malicious LNK file, the vulnerable code path can be triggered through any component that embeds MSHTML,” the company added. “Therefore, additional delivery mechanisms beyond LNK-based phishing should be expected.”
Source link
