Uncovered: Russian Hackers Target Microsoft Office Vulnerability in Cyber Attacks

Russian Hackers Exploit Recently Patched Microsoft Office Bug

Reports from Ukraine’s Computer Emergency Response Team (CERT) reveal that Russian hackers are taking advantage of CVE-2026-21509, a vulnerability in multiple versions of Microsoft Office that was recently patched by the tech giant.

Microsoft issued an emergency security update on January 26 in response to the zero-day flaw being actively exploited by malicious actors.

CERT-UA detected the distribution of malicious DOC files exploiting the vulnerability, with the theme centered around EU COREPER consultations in Ukraine, just three days after Microsoft’s alert.

In separate incidents, emails impersonating the Ukrainian Hydrometeorological Center were sent to over 60 government-related addresses.

Despite the attacks, metadata associated with the document indicates that it was created just one day after the emergency update by Microsoft.

The Ukrainian CERT attributes these attacks to APT28, a nation-state threat actor also known as Fancy Bear and Sofacy, associated with Russia’s General Staff Main Intelligence Directorate (GRU).

When the malicious document is opened, it triggers a WebDAV-based download chain that installs malware through COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth).

According to CERT-UA’s report, the scheduled task execution results in the termination and restart of the explorer.exe process, leading to the loading of the “EhStoreShell.dll” file through COM hijacking. This DLL then executes shellcode from the image file, ultimately launching the COVENANT software (framework) on the compromised computer.

This same malware loader was linked to APT28 attacks in June 2025, where Signal chats were exploited to deliver the BeardShell and SlimAgent malware to government organizations in Ukraine.

COVENANT utilizes the Filen (filen.io) cloud storage service for command-and-control (C2) operations. Monitoring connections associated with the platform or blocking them entirely can enhance defense against this threat.

Further investigations have uncovered that APT28 used three additional documents in attacks against various EU-based organizations, indicating the campaign extends beyond Ukraine. In one instance, domains supporting the attacks were registered on the same day.

Organizations are advised to apply the latest security update on Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. For Office 2021 and later versions, users should restart applications to ensure updates are applied.

If immediate patching is not feasible, implementing the registry-based mitigation instructions outlined in our original coverage of the flaw is recommended.

Microsoft has emphasized that Defender’s Protected View adds an extra layer of defense by blocking malicious Office files from the Internet unless explicitly trusted.