Full Report
Ukraine’s CERT says the bug went from disclosure to active exploitation in days Russia-linked attackers are already exploiting Microsoft's latest Office zero-day, with Ukraine's national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU.…
Analysis Summary
# Threat Actor: APT28 (Fancy Bear)
## Attribution & Identity
* **Identification:** Russia-linked attackers.
* **Known Aliases:** UAC-0001, Fancy Bear.
* **Known Associations:** Linked to Russian state activity.
## Activity Summary
The threat actor is actively exploiting the newly disclosed and unpatched Microsoft Office zero-day vulnerability (CVE-2026-21509) days after disclosure. This rapid deployment suggests pre-existing exploit chains were ready.
Recent activities include:
1. Targeting **Ukrainian government agencies** via phishing campaigns impersonating the Ukrhydrometeorological Center.
2. Distributing weaponized documents themed around EU discussions on Ukraine (e.g., "Consultation\_Topics\_Ukraine(Final).doc").
3. Targeting **organizations in EU member states** with similar lure documents.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting CVE-2026-21509 in Microsoft Office via weaponized documents.
* **Execution Chain:** Opening the malicious DOC initiates a WebDAV connection to download a shortcut file, which acts as a launchpad.
* **Defense Evasion/Persistence:**
* Dropping a DLL masquerading as a legitimate Windows component.
* Stashing shellcode inside an image file.
* Establishing persistence via **COM hijacking**.
* Establishing persistence via a **scheduled task** that restarts `explorer.exe` to reload malicious code.
* **Command and Control (C2):** Deployment of the **COVENANT post-exploitation framework**.
* **Network Evasion:** Routing traffic through a legitimate cloud storage service to blend in.
(MITRE ATT&CK IDs are not explicitly mentioned in the source text.)
## Targeting
* **Sectors:** Central government bodies, general organizations.
* **Geography:** Ukraine (domestic agencies) and European Union (EU member states).
* **Victims:** Government agencies inside Ukraine and organizations across the EU.
## Tools & Infrastructure
* **Malware families used:** COVENANT post-exploitation framework.
* **Infrastructure:** Uses external servers accessed via WebDAV for payload delivery, and legitimate cloud storage services for C2 traffic masking. Infrastructure turnover is rapid; one domain serving a payload was registered on the day it was used.
## Implications
The rapid weaponization of the Microsoft Office zero-day (CVE-2026-21509) demonstrates APT28's high level of readiness and immediate opportunistic targeting against politically relevant entities (Ukraine/EU). The use of advanced persistence techniques (COM hijacking) and the use of the COVENANT framework suggest sophisticated operations aimed at maintaining long-term access. Defense organizations are warned that attacks using this flaw will likely increase despite patches being available due to update latency.
## Mitigations
* Monitor or block traffic related to the identified C2 infrastructure (specifically mentioned: **Filen-related traffic**).
* Ensure timely patching of Microsoft Office, including older builds affected by CVE-2026-21509.
* Implement enhanced monitoring for unusual WebDAV connections initiated by Office processes.
* Monitor for suspicious COM hijacking activities and newly created scheduled tasks affecting `explorer.exe`.