APT28 Weaponizes Office Flaw to Spy on NATO & Military

The notorious Russian state-sponsored group APT28 (also known as Fancy Bear) has launched a sophisticated new espionage campaign, striking European military and government targets within just 24 hours of a major security vulnerability being disclosed. A new report by Trellix details how the group weaponized CVE-2026-21509, a Microsoft Office security bypass, to infiltrate organizations across Poland, Ukraine, and other NATO-aligned nations.

This rapid weaponization signals a dangerous evolution in the group’s tactics, as they combine fresh exploits with legitimate cloud services to hide their tracks.

The speed of this operation was unprecedented. “The attackers weaponized a newly disclosed Microsoft Office 1-day (CVE-2026-21509) within 24 hours of its public revelation,” the report states.

Using a 72-hour blitz of spear-phishing emails, the group targeted defense ministries and logistics operators with highly convincing lures. These weren’t generic spam; they were carefully crafted narratives about “transnational weapons smuggling alerts” and “military training program invitations”, designed to trick officials into opening the malicious documents.

Once opened, the document triggers the exploit automatically—no macros required. The flaw allows “embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads,” silently downloading the next stage of the attack.

APT28’s infrastructure has also evolved. Instead of relying solely on suspicious domains, the group is abusing legitimate cloud storage services to blend in with normal network traffic.

“The threat actors abuse legitimate cloud storage (filen.io) as command-and-control (C2) infrastructure,” the report explains.

The malware, a custom implant dubbed BeardShell, communicates with its controllers by uploading and downloading files from specific folders on filen.io. This traffic is encrypted and looks just like a user backing up their documents, making it incredibly difficult for security teams to spot.

Parallel to the main backdoor, some victims were hit with a specialized tool called NotDoor. This isn’t designed to control the computer; it’s designed to spy on it.

NotDoor is an “Outlook-focused backdoor designed for long-term email intelligence collection,” according to the analysis. Once installed, it disables Outlook’s security warnings and sets up a surveillance system. It silently forwards sensitive emails—including those from the Inbox, Drafts, and Junk folders—to an attacker-controlled address.

Crucially, it cleans up after itself. The malware “marks processed emails with a custom ‘AlreadyForwarded’ property… and sets ‘DeleteAfterSubmit = True’ to automatically purge forwarded messages,” ensuring the victim never sees the stolen correspondence leaving their outbox.

The campaign’s focus on “Ukrainian government and military bodies, as well as NATO-aligned targets,” aligns perfectly with APT28’s long history of supporting Russian strategic interests. By combining zero-day speed with “fileless” malware and cloud-based camouflage, Fancy Bear has once again proven why it remains one of the most formidable threats in the cyber espionage landscape.

Related Posts:

• Under Attack: Microsoft Patches Office Zero-Day (CVE-2026-21509) Exploited in the Wild
• APT28’s BeardShell Campaign: Steganography, Cloud Abuse, and Persistent Espionage
• Fancy Bear Returns: APT28 Exploits Office Flaw in “Operation Neusploit”
• APT28 Cyber Espionage Campaign Targets French Institutions Since 2021