Hackers linked to Russia’s military intelligence are exploiting a newly patched flaw in Microsoft Office to target government bodies in Ukraine and other European countries, according to several reports.
Ukraine’s computer emergency response team, CERT-UA, said attackers began abusing the flaw — tracked as CVE-2026-21509 — shortly after Microsoft disclosed it in early January. The agency attributed the campaign to Russia-backed hacking group APT28, also known as Fancy Bear, BlueDelta and Forest Blizzard.
Researchers identified malicious Microsoft Office documents containing the exploit that were disguised as correspondence from Ukraine’s hydrometeorological center and sent to more than 60 email addresses, most of them belonging to state authorities.
Opening the documents triggered the execution of Covenant malware, an open-source framework commonly used in legitimate red-team testing but increasingly abused by attackers.
In a separate report this week, researchers at cybersecurity firm Zscaler said that, in addition to Ukraine, they also observed APT28 attacks exploiting the Microsoft Office flaw in Slovakia and Romania. The hackers used phishing lures written in both English and local languages.
Researchers identified two variants of the attack chain. In one, the exploit led to the installation of MiniDoor malware, which is designed to harvest victims’ emails and exfiltrate them to attacker-controlled servers. MiniDoor is a simplified variant of NotDoor, a backdoor previously linked to APT28 operations. The second variant installed PixyNetLoader, which ultimately deployed a Covenant implant on compromised systems.
Microsoft released a patch for the vulnerability earlier this month, describing it as high severity and affecting multiple Office products. The flaw has since been added to the Known Exploited Vulnerabilities catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
CERT-UA warned that attacks exploiting the flaw are likely to increase as long as users delay installing security updates.
APT28 has been active for more than two decades and has intensified its focus on Ukraine and its European allies since Russia’s full-scale invasion began.
Last month, Germany summoned Russia’s ambassador after accusing Moscow of carrying out a cyberattack on its state-owned air traffic control operator. Berlin has said it has evidence linking an August 2024 cyberattack on Deutsche Flugsicherung, Germany’s air traffic control authority, to APT28. In May, the group targeted webmail servers used by state entities and defense companies in Eastern Europe, primarily in Ukraine, Bulgaria and Romania.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
