Russia Weaponizes Patch Tuesday Flaw in Record Time
Russia-linked threat actor APT28 (also tracked as Fancy Bear, UAC-0001, Forest Blizzard) weaponized Microsoft Office vulnerability CVE-2026-21509 within just three days of its disclosure in the February 2026 Patch Tuesday release. The campaign, dubbed "Operation Neusploit" by Zscaler ThreatLabz, targets Ukrainian government agencies and organizations across Eastern Europe.
Campaign Overview
| Field | Details |
|---|---|
| Threat Actor | APT28 / Fancy Bear / UAC-0001 |
| Attribution | Russia's GRU (Military Intelligence Unit 26165) |
| Campaign Name | Operation Neusploit |
| Vulnerability | CVE-2026-21509 (CVSS 7.8) |
| Type | Microsoft Office Security Feature Bypass |
| Targets | 60+ Ukrainian government emails, Slovakia, Romania |
| Payload | MiniDoor (Outlook stealer), Covenant Grunt implant |
Attack Chain
The attack leverages phishing emails with geopolitically-charged lures related to weapons smuggling and military training exercises:
1. Phishing email with weaponized Office document
2. CVE-2026-21509 bypasses security features (no macros needed)
3. WebDAV callback downloads shortcut file (.lnk)
4. Shortcut triggers PixyNetLoader
5. PixyNetLoader fetches and deploys COVENANT Grunt implant
6. MiniDoor steals emails via Outlook VBA injection
7. Full command-and-control establishedWhy This Exploit Is Dangerous
CVE-2026-21509 is a security feature bypass that requires no macros and no user interaction beyond opening the document. This bypasses the standard protections that block most Office-based attacks:
- No macro warning dialogs
- No Protected View triggers
- No Mark-of-the-Web checks
- Works on fully patched Office installations (pre-Feb Patch Tuesday)
Targets
More than 60 email addresses associated with Ukrainian central executive authorities were targeted, along with organizations in:
- Slovakia — Government ministries and defense contractors
- Romania — Military and diplomatic organizations
- Ukraine — Central government agencies, military command
Lure Themes
| Document Name | Theme |
|---|---|
Arms_Export_License_2026.docx | Weapons export licensing |
NATO_Exercise_Briefing.docx | Military training exercises |
Diplomatic_Note_RE_Sanctions.docx | Sanctions and diplomacy |
Malware Deployed
MiniDoor (Outlook Email Stealer)
A lightweight VBA-based implant injected into Outlook that:
- Monitors incoming and outgoing emails
- Exfiltrates message contents and attachments
- Forwards copies to attacker-controlled email accounts
- Operates silently within the user's Outlook process
COVENANT Grunt Implant
The COVENANT framework is an open-source C2 framework repurposed by APT28:
- Full remote access and command execution
- File upload/download capabilities
- Lateral movement within the network
- Persistence via scheduled tasks and registry modifications
Patch Status
CVE-2026-21509 was patched in the February 10, 2026 Patch Tuesday release. Organizations that have not yet applied the February updates are vulnerable.
| Product | Fixed In |
|---|---|
| Microsoft Office 2019 | February 2026 Security Update |
| Microsoft 365 Apps | Version 2402 (Build 17328.20162) |
| Microsoft Office LTSC 2021/2024 | February 2026 Security Update |
Recommendations
- Apply February Patch Tuesday updates immediately — CVE-2026-21509 is actively exploited
- Block WebDAV traffic to external servers at the network perimeter
- Hunt for PixyNetLoader indicators in endpoint telemetry
- Monitor Outlook processes for unexpected VBA execution
- Block COVENANT C2 infrastructure using published IOCs from Zscaler
- Brief staff on phishing lures themed around military and diplomatic topics