Ddos 
The notorious Russia-linked threat group APT28 (also known as Fancy Bear) has resurfaced with a sophisticated new campaign targeting Central and Eastern Europe. Dubbed “Operation Neusploit” by researchers at Zscaler ThreatLabz, the offensive leverages a recently patched Microsoft Office vulnerability to deploy custom backdoors against strategic targets in Ukraine, Slovakia, and Romania.
The campaign, identified in January 2026, marks a significant evolution in the group’s tactics, shifting from old macros to weaponized RTF files that exploit CVE-2026-21509.
The attack begins with a localized lure. Victims receive emails containing specially crafted RTF documents, often tailored to their specific language and region. Unlike previous campaigns that relied on user interaction with macros, this operation exploits a vulnerability in the way Office handles these files.
As the report explains: “In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain”.
Once the exploit triggers, it initiates a complex infection sequence dubbed PixyNetLoader. This stage uses advanced evasion techniques, including “COM hijacking for execution” and “DLL proxying” to hide its activity from security software.
APT28 has refreshed its arsenal for this operation. The primary payload delivered is a new implant called MiniDoor.
Researchers describe MiniDoor as a streamlined version of a previous tool: “MiniDoor is a stripped down variant of NotDoor… This variant replaces the backdoor functionality with a simple email stealing capability”.
By stripping down the malware, the attackers likely hope to evade behavioral detection while focusing on their core objective: intelligence gathering.
Additionally, the group has continued its use of steganographyβhiding malicious code inside images. The report notes the deployment of a “Covenant Grunt and its shellcode loader embedded in a PNG via steganography,” allowing the malware to sneak past network defenses disguised as a harmless image file.
Zscaler ThreatLabz has linked this activity to APT28 with “high confidence” due to significant overlaps in infrastructure and coding style. The report highlights that “ThreatLabz research highlights that APT28 continues to evolve its TTPs by weaponizing the latest vulnerabilities in popular and widely used applications such as Microsoft Office”.
The infrastructure also points to familiar territory, with the attackers abusing the Filen API for command-and-control (C2) communication, a technique previously seen in APT28’s “Operation Phantom Net Voxel” in late 2025.
The vulnerability used in this campaign, CVE-2026-21509, was addressed by Microsoft in an out-of-band update on January 26, 2026. However, ThreatLabz observed active exploitation just three days later, underscoring the speed at which state-sponsored actors move.
“ThreatLabz urges readers to install the latest security updates from the official Microsoft website to patch critical vulnerabilities such as CVE-2026-21509,” the researchers advise. Organizations in the targeted regions are on high alert, as APT28 continues to prove it is a persistent and adapting adversary.
Related Posts:
- Under Attack: Microsoft Patches Office Zero-Day (CVE-2026-21509) Exploited in the Wild
- APT28 Cyber Espionage Campaign Targets French Institutions Since 2021
- Don’t Get Tricked: RTF Files Are the Latest Weapon in Phishing Attacks
- Unpatched Vulnerabilities in Fancy Product Designer Plugin Put 20,000+ Websites at Risk
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
