Cybersecurity investigators have identified a new cyberattack campaign connected to the Russia-linked hacking group APT28, also known as UAC-0001. The campaign, named Operation Neusploit, uses a recently discovered Microsoft Office vulnerability called CVE-2026-21509. Security researchers from Zscaler ThreatLabz revealed that the attackers began exploiting the weakness just days after Microsoft publicly disclosed it. The attacks have mainly targeted users in Ukraine, Slovakia, and Romania.
According to Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay, the attackers created social engineering messages in multiple languages, including English, Romanian, Slovak, and Ukrainian. These messages were designed to trick people into opening malicious Microsoft Word files. The attackers also used advanced server-side evasion methods. These techniques allowed them to deliver harmful files only when requests came from selected geographic locations and contained specific web browser identification data. This method helped the attackers avoid detection while focusing only on intended targets.
How CVE-2026-21509 Is Used to Launch Malware Attacks
The vulnerability CVE-2026-21509 is a security feature bypass flaw in Microsoft Office. It allows hackers to send specially crafted Office files that can run malicious code when opened. In Operation Neusploit, attackers mainly used RTF files to begin the infection process.
Cyberattacks disrupt Danish services as pro-Russian hackers pressure government over Ukraine
Once a victim opens the infected file, it releases malware droppers. These droppers act like delivery systems that install additional harmful programs on the infected computer. One dropper installs a program called MiniDoor. MiniDoor is a C++-based dynamic link library designed to steal emails stored in different mailbox folders, including Inbox, Junk, and Drafts.
The stolen emails are secretly sent to attacker-controlled email accounts such as ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. Security researchers believe MiniDoor is a smaller and simplified version of another malware called NotDoor, also known as GONEPOSTAL. The NotDoor malware was previously documented by S2 Grupo LAB52 in September 2025.
The second dropper used in the campaign is known as PixyNetLoader. This malware launches a much more complex attack chain. PixyNetLoader installs multiple hidden components into the system and creates persistence using a method called COM object hijacking. This technique allows the malware to run automatically using trusted system processes.
Advanced Stealth Techniques Used by PixyNetLoader and Covenant Framework
PixyNetLoader extracts several hidden files, including a shellcode loader named EhStoreShell.dll and an image file called SplashScreen.png. The image appears harmless but secretly stores malicious code using steganography, a technique that hides data inside images. The malicious files are often delivered through infected Microsoft Word documents designed to appear safe to users.
The loader reads the hidden code from SplashScreen.png and executes it. However, the malware only activates if certain conditions are met. It checks whether the system is running inside a security testing environment. It also verifies if the malware was launched through explorer.exe. If these conditions are not satisfied, the malware remains inactive, helping it avoid detection by security researchers. In several observed attacks, the activation process begins after victims open specially crafted Microsoft Word files.
Once activated, the hidden shellcode loads a .NET assembly known as a Grunt implant. This implant is connected to the open-source .NET COVENANT command-and-control framework. The Covenant framework allows attackers to remotely control infected computers, steal data, and deploy additional malware. Many infections linked to this campaign have been traced back to weaponized Microsoft Word attachments sent through targeted phishing emails.
Security researchers noted that APT28 previously used the Covenant Grunt tool in a campaign called Operation Phantom Net Voxel. The earlier campaign was documented by Sekoia in September 2025. Zscaler ThreatLabz reported that Operation Neusploit shares multiple technical similarities with Operation Phantom Net Voxel. While the older campaign relied on VBA macros, the newer attacks replaced macros with DLL-based delivery. Both campaigns used similar tactics, including DLL proxying, XOR string encryption, COM hijacking, and steganography-based shellcode delivery.
Government Targeting and CERT-UA Findings
The Computer Emergency Response Team of Ukraine, known as CERT-UA, also reported separate findings connected to CVE-2026-21509 exploitation. CERT-UA discovered that APT28 used malicious Microsoft Word documents to target more than sixty email accounts linked to central executive authorities in Ukraine.
Metadata analysis showed that one of the lure documents used in the attacks was created on January 27, 2026. When opened, the infected document automatically created a network connection to an external server using the WebDAV protocol. This connection downloaded a shortcut file that secretly contained program code.
DOJ announces takedown of RapperBot botnet responsible for over 370,000
cyberattacks
The downloaded file then triggered additional malware installation steps that closely matched the PixyNetLoader infection chain. This process eventually led to the deployment of the Covenant framework’s Grunt implant inside the targeted systems.
CERT-UA confirmed that the attack used carefully structured multi-stage malware delivery. The campaign used trusted network communication methods and disguised files to avoid raising suspicion. The attack pattern revealed a highly organized espionage-focused operation using modern malware techniques and software vulnerability exploitation linked to Operation Neusploit.
