Full Report
The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit. Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
**Identification:** Russia-linked state-sponsored threat actor.
**Aliases:** UAC-0001.
**Associated Groups:** Overlap noted with techniques used in Operation Phantom Net Voxel (reported by Sekoia in September 2025).
## Activity Summary
APT28 is conducting a campaign codenamed **Operation Neusploit**, first observed weaponizing a Microsoft Office vulnerability on January 29, 2026. The actor abused the newly disclosed security feature bypass flaw, **CVE-2026-21509**, to deliver espionage-focused malware. The campaign targeted users shortly after Microsoft disclosed the bug.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of **CVE-2026-21509** (Microsoft Office Security Feature Bypass, CVSS 7.8) via malicious RTF or Word documents.
- **Delivery/Execution:** Initial file triggers exploitation, leading to the deployment of one of two versions of a dropper binary.
- **Server-Side Evasion:** Employed server-side evasion, responding with malicious DLLs only when requests originated from targeted geographic regions *and* included the correct User-Agent HTTP header.
- **Persistence/Defense Evasion:** Use of **COM object hijacking** for setting up persistence.
- **Payload Delivery (Variant 2):** DLL proxying; XOR string encryption techniques.
- **Payload Obfuscation:** Shellcode concealed using **steganography within a PNG image** ("SplashScreen.png").
- **Conditional Execution:** A dedicated loader ("EhStoreShell.dll") only executes its malicious logic if the hosting process is "explorer.exe" and the machine is confirmed not to be an analysis environment.
## Targeting
- **Sectors:** Not explicitly stated, but the targeting of central executive authorities suggests government/public sector focus.
- **Geography:** Ukraine, Slovakia, and Romania.
- **Victims:** Users within central executive authorities in Ukraine (over 60 associated email addresses).
## Tools & Infrastructure
- **Malware Families Used:**
* **MiniDoor:** A C++-based DLL file designed to steal emails (Inbox, Junk, Drafts) and forward them. Assessed to be a stripped-down version of NotDoor (GONEPOSTAL).
* **PixyNetLoader:** A dropper responsible for deploying more complex components.
* **Covenant Grunt Implant:** Deployed via the second infection chain (via PixyNetLoader).
* **EhStoreShell.dll:** Shellcode loader.
- **C2 Framework:** Open source .NET **COVENANT**.
- **Infrastructure:**
* Email addresses hard-coded in MiniDoor dropper for exfiltration: `ahmeclaw2002@outlook[.]com` and `ahmeclaw@proton[.]me`.
* Initial access method involved establishing a network connection using the **WebDAV protocol** to an external resource upon document opening.
## Implications
APT28 is deploying highly adaptive and sophisticated zero-day weaponry (or newly disclosed vulnerability weaponization) against critical targets, specifically government entities in Eastern Europe and neighboring states, aligning with typical Russian espionage interests. The actor's use of server-side evasion and anti-analysis checks demonstrates a high operational security standard aimed at frustrating rapid analysis.
## Mitigations
- Patch or mitigate **CVE-2026-21509** immediately (Microsoft Office vulnerability).
- Monitor network activity for indicators associated with the WebDAV protocol being initiated by Office applications.
- Implement strict application control and monitor for anomalies related to COM object creation or hijacking for persistence mechanism establishment.
- Enhance endpoint detection capabilities to flag processes masquerading as `explorer.exe` attempting to load malicious DLLs or execute shellcode derived from image files (steganography detection may be necessary).