A Russian-linked state-sponsored threat actor known as APT28 (also known as UAC-0001) is believed to have exploited a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit.
Zscaler ThreatLabz said it observed a group of hackers exploiting the flaw in attacks targeting users in Ukraine, Slovakia, and Romania on January 29, 2026, three days after Microsoft disclosed the existence of the bug.
The vulnerability in question, CVE-2026-21509 (CVSS score: 7.8), bypasses security features in Microsoft Office that could be triggered by an unauthorized attacker by sending a specially crafted Office file.
“Social engineering lures were created in both English and localized languages (Romanian, Slovak, Ukrainian) to target users in the respective countries,” said security researchers Sudeep Singh and Roy Tay. “The attackers employed server-side evasion techniques and responded with a malicious DLL only if the request originated from the targeted geographic region and contained the correct User-Agent HTTP header.”
In a nutshell, this attack chain uses a malicious RTF file to exploit a security hole and distribute two different versions of the dropper. One is designed to drop an Outlook email stealer called MiniDoor, and the other is called PixyNetLoader and is responsible for deploying the Covenant Grunt implant.
The first dropper acts as a conduit to deliver the MiniDoor. MiniDoor is a C++-based DLL file that steals users’ emails in various folders (Inbox, Junk, Drafts) and forwards them to two hard-coded threat actor email addresses.[.]com and ahmeclaw@proton[.]myself. MiniDoor is considered to be a simplified version of NotDoor (also known as GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025.
In contrast, the second dropper, namely PixyNetLoader, is used to initiate a more complex attack chain that involves delivering additional embedded components and setting up persistence on the host using COM object hijacking. The extracted payload includes a shellcode loader (‘EhStoreShell.dll’) and a PNG image (‘SplashScreen.png’).
The main role of the loader is to parse and execute shellcode hidden using steganography within the image. However, the loader only activates its malicious logic if the infected machine is not an analysis environment and the host process that launched the DLL is ‘explorer.exe’. If the conditions are not met, the malware remains dormant.
The extracted shellcode is ultimately used to load the embedded .NET assembly. It is nothing but a Grunt implant associated with the open source .NET COVENANT command and control (C2) framework. It is worth noting that the use of Grunt Stager by APT28 was highlighted by Sekoia in September 2025 in connection with a campaign called Operation Phantom Net Voxel.
“PixyNetLoader’s infection chain shares significant overlap with Operation Phantom Net Voxel,” Zscaler said. “Previous campaigns used VBA macros, but this activity replaces them with DLLs while retaining similar techniques, including (1) COM hijacking for execution, (2) DLL proxies, (3) XOR string encryption techniques, and (4) Covenant Grunt and its shellcode loader embedded in PNG via steganography.”
This disclosure coincides with a report from the Computer Emergency Response Team of Ukraine (CERT-UA), which also warned that APT28 was exploiting CVE-2026-21509 by using Word documents to target more than 60 email addresses associated with the country’s central administrative authorities. Metadata analysis revealed that one of the lure documents was created on January 27, 2026.
“During the investigation, it was discovered that when a document is opened using Microsoft Office, a network connection is established to an external resource using the WebDAV protocol and a file with a shortcut file name containing program code designed to download and run an executable file is downloaded,” CERT-UA said.
This triggers the same attack chain as PixyNetLoader and introduces the Grunt implant of the COVENANT framework.
Source link
