APT28 Exploits Microsoft Office 0-Day Hackers Exploiting

APT28, the Russia-linked advanced persistent threat group, has launched a sophisticated campaign targeting Central and Eastern Europe by exploiting a zero-day vulnerability in Microsoft Office.

The threat actors leveraged specially crafted Microsoft Rich Text Format (RTF) files to exploit the vulnerability and deliver malicious backdoors through a multi-stage infection chain.

The campaign, tracked as Operation Neusploit, represents a significant escalation in APT28’s capabilities and demonstrates their continued focus on high-value targets across Ukraine, Slovakia, and Romania.

The attack begins when users receive socially engineered emails containing weaponized RTF documents.

These messages are customized in English and local languages including Romanian, Slovak, and Ukrainian to increase the likelihood of successful infection.

Once victims open these files, the vulnerability is silently triggered, allowing the threat actors to execute arbitrary code on the compromised system without any visible warning to the user.

Zscaler analysts identified this campaign in January 2026 and attributed it to APT28 based on significant overlaps in tools, techniques, and procedures with the group’s known operations.

The researchers observed active exploitation occurring in the wild on January 29, 2026, just three days after Microsoft released an emergency security update to address the vulnerability.

Infection Mechanism and Persistence Strategy

The infection chain involves two distinct variants of dropper malware designed to deploy different payloads to compromised systems.

The first variant deploys MiniDoor, a lightweight email-stealing tool built using Microsoft Outlook Visual Basic for Applications (VBA).

MiniDoor operates by monitoring Outlook login events and systematically harvesting emails from the infected mailbox. The malware forwards stolen communications to hardcoded email addresses controlled by the attackers.

To maintain persistence, the dropper modifies Windows registry settings to disable Outlook security protections and automatically load the malicious macro each time the application launches.

• CVE ID: CVE-2026-21509
• Vulnerability Type: Remote Code Execution
• Affected Component: Microsoft Office RTF Handler
• Severity: Critical
• Patch Date: January 26, 2026

The second dropper variant deploys PixyNetLoader, which establishes a foothold for deploying the Covenant Grunt implant, providing the attackers with command-and-control capabilities.

Both variants employ server-side evasion techniques, delivering payloads only to requests originating from targeted geographic regions with correct HTTP headers. This selective delivery makes detection and analysis significantly more challenging for security researchers worldwide.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.