Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportOperation Neusploit represents a sophisticated cyber-espionage campaign launched by the Russia-linked APT28 group (also known as Sofacy, Fancy Bear, Sednit, and numerous other aliases) targeting organizations across Central and Eastern Europe in January 2026. This advanced persistent threat operation weaponizes CVE-2026-21509, a Microsoft Office security feature bypass vulnerability, to conduct widespread espionage operations against government entities, critical infrastructure organizations, and other strategic targets. The campaign demonstrates APT28’s continued evolution in tactics, techniques, and procedures, combining zero-day exploitation with multi-stage malware deployment, sophisticated evasion techniques, and abuse of legitimate cloud services for command-and-control operations.
The attack methodology employed in Operation Neusploit leverages carefully crafted phishing documents distributed via spearphishing emails to targeted victims across Ukraine, Slovakia, Romania, and other Central and Eastern European nations. These malicious Microsoft RTF documents exploit the CVE-2026-21509 vulnerability, which allows attackers to bypass local security protections through the abuse of untrusted input mechanisms. To maximize campaign effectiveness and evade detection, threat actors implemented server-side filtering mechanisms that ensure malicious payloads are delivered exclusively to victims connecting from targeted geographic regions using expected browser identifiers. The phishing lures were crafted in English as well as local languages to increase credibility and victim engagement rates.
Once a victim opens the weaponized document, the exploit chain triggers the download of malicious DLL dropper components from attacker-controlled infrastructure domains. Two distinct dropper variants have been observed in this campaign: MiniDoor, a lightweight DLL that plants malicious Outlook VBA projects on compromised systems, and PixyNetLoader, which deploys multiple components and establishes persistence through COM object hijacking techniques. The attack infrastructure incorporates multiple layers of obfuscation and evasion, including steganography to hide shellcode within PNG images, CLR hosting techniques for memory-resident payload execution, sandbox detection mechanisms, and abuse of legitimate cloud services for command-and-control communications. The campaign’s ultimate objectives include long-term surveillance of victim communications through automated email exfiltration and persistent access to compromised networks for intelligence collection operations.
In January 2026, the Russia-linked APT28 group launched Operation Neusploit, a new cyber-espionage campaign targeting users across Central and Eastern Europe with particular focus on Ukraine, Slovakia, and Romania. The threat actors distributed malicious Microsoft RTF documents that exploited CVE-2026-21509, a Microsoft Office security feature bypass vulnerability allowing local security protections to be circumvented through the abuse of untrusted input mechanisms. To increase campaign success rates and evade security controls, the attackers crafted phishing lures in English as well as local languages targeting specific victim populations, while simultaneously implementing server-side filtering mechanisms to ensure that malicious payloads were delivered exclusively to victims connecting from targeted countries using expected browser identifiers and user agent strings.
Once a victim opened the weaponized document, the CVE-2026-21509 exploit triggered the download of a malicious DLL dropper from attacker-controlled infrastructure including domains such as freefoodaid.com and wellnesscaremed.com. Security researchers identified two distinct dropper variants deployed during this campaign. The first variant delivered MiniDoor, a lightweight DLL component that plants a malicious Outlook VBA project on the compromised system. MiniDoor manipulates Outlook security settings through registry modifications that weaken macro security controls so that macros execute automatically without user interaction, allowing the malicious VBA project to activate each time Microsoft Outlook is launched. The second dropper variant deployed PixyNetLoader, a more sophisticated loader that installs multiple malware components and achieves persistence through COM object hijacking techniques that ensure malware execution across system reboots.
The PixyNetLoader infection chain incorporates multiple sophisticated evasion measures designed to avoid security analysis and detection by sandbox environments. The loader component activates only when executed under the context of explorer.exe, a legitimate Windows process, preventing execution in many automated analysis systems. Additionally, PixyNetLoader performs timing checks to detect virtualized and sandbox environments that security researchers commonly use for malware analysis. If the execution environment appears legitimate and passes these validation checks, PixyNetLoader extracts hidden shellcode from a PNG image file using steganography techniques, where malicious code is concealed within image pixel data. The recovered shellcode then leverages CLR hosting techniques to load a .NET payload directly into system memory, allowing the malware to operate without leaving obvious file system artifacts that would be detected by traditional antivirus solutions.
The final stage of the attack delivers a Covenant Grunt implant, an open-source .NET command-and-control agent that provides attackers with comprehensive remote access capabilities. To conceal malicious command-and-control communications from network security monitoring, the malware routes traffic through the legitimate Filen cloud service, blending malicious activity with normal network traffic patterns that appear benign to security controls. Meanwhile, the MiniDoor component functions as an automated email stealer, quietly monitoring Microsoft Outlook activity and forwarding emails from folders including Inbox, Junk, Drafts, and RSS feeds to attacker-controlled email addresses. To remain unnoticed during long-term surveillance operations, MiniDoor prevents forwarded messages from appearing in the victim’s Sent folder and tags processed emails to avoid repeated exfiltration of the same messages, enabling sustained intelligence collection on victim communications.
Separately, Ukraine’s Computer Emergency Response Team (CERT-UA) reported related APT28 activity exploiting the same CVE-2026-21509 vulnerability to target more than 60 email accounts associated with central executive authorities in Ukraine. Forensic analysis revealed that one malicious Word document used in this parallel campaign was created on January 27, 2026, demonstrating the rapid weaponization timeline following vulnerability discovery. When victims opened these malicious documents, the files initiated WebDAV connections to external attacker-controlled servers, triggering the download of shortcut files containing embedded malicious code that subsequently retrieved and executed additional payload components, allowing attackers to discreetly stage multi-stage malware delivery before achieving full system compromise.
Organizations must immediately install the latest security update released by Microsoft to patch CVE-2026-21509 across all systems running Microsoft Office applications. This vulnerability is actively exploited by APT28 in ongoing cyber-espionage operations, and organizations running unpatched Microsoft Office versions face immediate risk of compromise. Security teams should prioritize patch deployment to systems belonging to high-value users including executives, government officials, personnel with access to sensitive information, and individuals likely to be targeted by advanced persistent threat groups.
Network security teams should immediately block the identified malicious domains freefoodaid.com, wellnesscaremed.com, and wellnessmedcare.org at the firewall, web proxy, and DNS resolution levels to prevent communication with threat actor infrastructure. Organizations should integrate the comprehensive list of indicators of compromise provided in this advisory into endpoint detection and response platforms, security information and event management systems, threat intelligence platforms, and network security monitoring tools to detect and block malicious activity associated with Operation Neusploit.
Organizations must ensure Microsoft Outlook macro security settings are configured to disable all macros without notification or require digitally signed macros only, preventing unauthorized VBA project execution. Security administrators should implement Group Policy Objects or Microsoft Endpoint Configuration Manager policies to enforce these settings across all endpoints organization-wide. Given that MiniDoor specifically manipulates Outlook macro security settings through registry modifications, organizations should implement monitoring for unauthorized changes to Outlook security configuration keys.
Security operations centers should implement detection rules to alert on modifications to Outlook security-related registry keys, particularly those controlling macro execution settings and VBA security controls. Organizations should establish baseline configurations for expected registry settings and generate alerts when these configurations are modified, as this represents a key persistence and security control bypass technique employed by MiniDoor malware deployed in Operation Neusploit.
Organizations should consider implementing security policies to block or quarantine RTF files received via email attachments, particularly those originating from external senders or unknown sources. Given that APT28 leveraged malicious RTF documents as the initial attack vector for CVE-2026-21509 exploitation, restricting RTF file execution provides defense-in-depth protection against this attack methodology. Organizations requiring legitimate RTF file exchange should implement enhanced scanning and analysis procedures before allowing users to access these files.
Threat hunting teams should conduct proactive searches for unusual PNG files in non-standard file system locations that may contain steganographically encoded payloads. PixyNetLoader specifically leverages steganography techniques to hide malicious shellcode within image pixel data, representing a sophisticated evasion technique that bypasses traditional security controls. Organizations should implement file analysis capabilities that can detect anomalous entropy patterns and hidden data within image files that may indicate steganographic encoding.
Organizations should deploy advanced email security solutions capable of analyzing RTF documents and other Microsoft Office file formats for embedded exploits and malicious content before delivery to end users. Email security platforms should implement sandboxing capabilities that detonate suspicious attachments in isolated environments, detecting exploit attempts and malicious behavior before users are exposed to weaponized documents. Given that spearphishing with malicious attachments represents the initial access vector for Operation Neusploit, enhanced email security provides critical defensive capabilities against this threat.
The Operation Neusploit campaign demonstrates sophisticated adversary tradecraft mapped to multiple MITRE ATT&CK tactics and techniques:
Initial Access: T1566.001 (Spearphishing Attachment) – APT28 distributed malicious RTF documents via targeted phishing emails to compromise victim systems.
Execution: T1203 (Exploitation for Client Execution), T1106 (Native API), T1053.005 (Scheduled Task), T1204.002 (Malicious File), T1059 (Command and Scripting Interpreter) – The attack chain involved exploiting CVE-2026-21509, native API calls for malware functionality, scheduled tasks for persistence, user execution of malicious documents, and command interpreter usage.
Persistence: T1546.015 (Component Object Model Hijacking), T1137.006 (Office Application Add-ins), T1574.001 (DLL Search Order Hijacking), T1547.001 (Registry Run Keys / Startup Folder), T1543 (Create or Modify System Process) – Multiple persistence mechanisms including COM hijacking, malicious Outlook VBA projects, DLL manipulation, registry modifications, and system process creation.
Defense Evasion: T1140 (Deobfuscate/Decode Files or Information), T1480.002 (Mutual Exclusion), T1027.007 (Dynamic API Resolution), T1027.003 (Steganography), T1497.003 (Time Based Evasion) – Sophisticated evasion techniques including file decoding, execution environment checks, API obfuscation, steganographic payload hiding, and timing-based sandbox detection.
Collection: T1114 (Email Collection) – MiniDoor automatically collected and exfiltrated emails from compromised Outlook installations.
Command and Control: T1071.001 (Web Protocols), T1102.002 (Bidirectional Communication via Web Service) – The malware utilized HTTPS protocols and legitimate cloud services (Filen) for command-and-control communications.
Resource Development: T1588.006 (Obtain Capabilities – Vulnerabilities) – APT28 obtained and weaponized the CVE-2026-21509 zero-day vulnerability for this campaign.
Operation Neusploit involved numerous malicious file samples identified through forensic analysis, with MD5, SHA1, and SHA256 hash values provided for detection and threat hunting purposes. Organizations should integrate these hash values into endpoint detection and response platforms, antivirus solutions, and threat intelligence feeds to identify potentially compromised systems.
The threat actors operated command-and-control infrastructure using domains including freefoodaid.com, wellnesscaremed.com, and wellnessmedcare.org. Organizations should block network communications to these domains and investigate any historical connections that may indicate prior compromise or reconnaissance activities.
The attack infrastructure utilized IP addresses 159.253.120.2, 193.187.148.169, and 23.227.202.14 for hosting malicious payloads and command-and-control operations. Network security controls should block connections to these IP addresses and security teams should review network flow logs for historical communications that may indicate compromised systems.
The campaign involved multiple malicious URLs and SMB connections used for payload delivery and exploitation, including WebDAV connections to attacker-controlled servers. Organizations should search proxy logs, network traffic captures, and endpoint telemetry for connections to the documented malicious URLs and SMB paths to identify potentially compromised systems requiring investigation and remediation.
https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
https://cert.gov.ua/article/6287250
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
Get through updates and upcoming events, and more directly in your inbox