Fancy Bear Exploits Microsoft Zero-Day for Back Hackers Exploiting
Russia-linked cyber espionage group Fancy Bear, also known as APT28, has launched Operation Neusploit. This marks a significant escalation, leveraging a zero-day vulnerability, CVE-2026-21509, in...
Russia-linked cyber espionage group Fancy Bear, also known as APT28, has launched Operation Neusploit.
This marks a significant escalation, leveraging a zero-day vulnerability, CVE-2026-21509, in Microsoft RTF files.
By exploiting this flaw, attackers execute arbitrary code on victim systems, deploying dangerous backdoors and email stealers.
The campaign targets organizations in Central and Eastern Europe, posing a severe threat to government and military sectors in the region.
The attack distributes malicious RTF documents via phishing emails using social engineering lures written in English, Romanian, Slovak, and Ukrainian.
The primary targets are in Ukraine, Slovakia, and Romania. Attackers designed these documents to be highly convincing, often mimicking official government documents, increasing the likelihood victims trigger the exploit.
Polyswarm analysts identified the malware, noting its capability to bypass traditional security measures.
It employs evasion techniques, checking for specific User-Agent strings and verifying geographic locations before delivering the payload.
If conditions are met, the chain downloads a malicious dropper DLL, installing further malicious components.
Once compromised, the impact is severe. The malware steals sensitive information directly from Microsoft Outlook.
It monitors email activity, saves messages, and exfiltrates them to attacker-controlled servers.
Additionally, the malware establishes a persistent connection to a command-and-control server, allowing attackers to maintain long-term access and execute further commands. This communication is often encrypted to avoid detection.
Infection Mechanism and Persistence
The infection involves two dropper DLL variants. The first variant deploys MiniDoor, a tool that modifies registry keys to downgrade Outlook security and extract an encrypted script to steal emails.
The second variant introduces PixyNetLoader, which drops payloads like a PNG file hiding malicious shellcode using steganography.
To ensure persistence, attackers use COM hijacking. They register their malicious file under a legitimate name, forcing the OS to load it when Explorer restarts.
This sophisticated mechanism allows the malware to survive reboots and continue its espionage activities undetected. This technique makes detection extremely difficult for defenders.
| Attribute | Details |
|---|---|
| CVE Identifier | CVE-2026-21509 |
| Vulnerability Type | RTF Parsing Flaw / Arbitrary Code Execution |
| Affected Component | Microsoft RTF (Rich Text Format) File Parser |
| Associated Campaign | Operation Neusploit |
| Threat Actor | Fancy Bear (APT28, Sofacy, Sednit) |
| Patch Release Date | January 26, 2026 (Out-of-band update) |
| Active Exploitation | First detected in the wild on January 29, 2026 |
| Attack Vector | Phishing emails containing specially crafted malicious RTF attachments |
| Target Geographies | Central and Eastern Europe (specifically Ukraine, Slovakia, and Romania) |
| Impact | Deployment of backdoors (MiniDoor, PixyNetLoader) and email stealers |
Organizations should immediately apply the patch for CVE-2026-21509. Security teams must monitor network traffic for the specific User-Agent strings and indicators of compromise associated with Operation Neusploit.
It is also crucial to update email security gateways to filter out malicious RTF attachments. Security professionals should also consider blocking RTF files entirely if they are not needed for business operations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.