APT28 Weaponized That Office Zero-Day in Three Days Flat

If you needed a reminder that nation-state hackers don't take weekends off, here it is. Russia's APT28 — the same crew behind some of the most infamous cyber espionage campaigns of the past decade — started exploiting Microsoft's latest Office vulnerability just 72 hours after it was publicly disclosed.

The bug in question is CVE-2026-21509, a security feature bypass with a 7.8 CVSS score that Microsoft patched in an emergency update on January 26th. By January 29th, APT28 had already built weaponized RTF files and was actively targeting users in Ukraine, Slovakia, and Romania. That's a three-day turnaround from patch to exploitation, which should terrify anyone who thinks they can take their time with updates.

Zscaler's ThreatLabz caught the campaign, which they're calling Operation Neusploit. The attack is impressively crafted. Lure documents are written in localized languages — Romanian, Slovak, Ukrainian — to maximize the chances of someone actually opening them. The malicious servers are smart enough to check where requests come from, only serving the payload to targets in the right geographic regions with the right browser signatures. If you're a security researcher poking around from a US IP, you get nothing.

Once the RTF file is opened, things get nasty fast. The attackers are deploying two different infection chains depending on what they want to accomplish. The first drops something called MiniDoor, which is basically a stripped-down email stealer. It rifles through your Outlook folders — Inbox, Junk, Drafts — and forwards everything to attacker-controlled email addresses. Simple, effective, devastating for intelligence collection.

The second chain is more elaborate. It uses a loader called PixyNetLoader that hides shellcode inside PNG images using steganography. The malware checks if it's running in an analysis sandbox before doing anything malicious, and it uses COM object hijacking to maintain persistence. The end goal is deploying a Grunt implant from the Covenant command-and-control framework, giving the attackers full remote access.

CERT-UA confirmed the campaign is real and widespread. They've tracked attacks against more than 60 email addresses belonging to Ukrainian government officials, with document metadata showing the lures were being built as early as January 27th — the day after Microsoft's patch dropped.

The takeaway here isn't complicated. Patch Microsoft Office immediately. If you haven't applied the January 26th update, you're already behind the curve against one of the most capable threat actors on the planet. APT28 has been running operations like this since before some of your junior analysts were born, and they're not slowing down.