The Russia-linked actor APT28 exploited a Microsoft Office security bypass tracked as CVE-2026-21509 to deliver malware in Ukraine, Slovakia and Romania on January 29, 2026 as part of Operation Neusploit, a Zscaler technical analysis observed.
KEY FACTS
- Incident APT28 exploited CVE-2026-21509 to deliver malware
- Targets Users in Ukraine, Slovakia and Romania
- Payloads MiniDoor email stealer and PixyNetLoader leading to Covenant Grunt
- Observed Exploitation seen on January 29, 2026
The exploit is delivered via a specially crafted Office file, typically an RTF that triggers the security feature bypass. The attack chain uses two distinct droppers that either install an Outlook email stealer named MiniDoor or a loader called PixyNetLoader that installs additional components.
MiniDoor is a C++ DLL that exfiltrates emails from Inbox, Junk and Drafts folders and forwards them to two hard coded addresses, listed as ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. The report assesses MiniDoor as a reduced version of the NotDoor family.
PixyNetLoader extracts embedded files including a shellcode loader named EhStoreShell.dll and an image called SplashScreen.png. The loader parses shellcode hidden inside the image with steganography and activates only when executed by explorer.exe and when the host does not appear to be an analysis environment. Execution and persistence use COM object hijacking and DLL proxying techniques, according to the report.
A CERT-UA advisory links the same exploitation to Word lure documents that targeted more than 60 email addresses at central executive authorities and shows one lure document metadata dated January 27, 2026. The final payload in the chain is a Grunt implant from the open source Covenant framework.
WHY IT MATTERS
The campaign demonstrates rapid weaponization of a newly disclosed Office flaw to steal email and establish persistent command and control. Affected organizations should ensure Office updates are applied and investigate unusual WebDAV or DLL activity.