"According to CERT-UA, the first weaponized document surfaced just days after Microsoft sounded the alarm about the flaw. A file titled "Consultation_Topics_Ukraine(Final).doc" appeared publicly on January 29 and was themed around EU discussions on Ukraine. File metadata shows it was created on January 27 - the day after Microsoft published details of the flaw - a turnaround time that suggests the exploit chain was already prepared and waiting."
"Opening the file in Office quietly initiates a WebDAV connection to an external server, downloads a shortcut file, and uses it as a launchpad for further malware. From there, the attackers drop a DLL masquerading as a legitimate Windows component and stash shellcode inside what appears to be a harmless image file. They then establish persistence via COM hijacking and a scheduled task that restarts explorer.exe, ensuring the malicious code is reloaded."
UAC-0001 (APT28/Fancy Bear) leverages Microsoft Office security feature bypass CVE-2026-21509 to compromise Ukrainian government bodies and organizations across the EU. A weaponized document named "Consultation_Topics_Ukraine(Final).doc" appeared within days of the public disclosure, with metadata suggesting a rapid, pre-prepared exploit chain. A parallel phishing campaign impersonated the Ukrhydrometeorological Center and delivered malicious DOC attachments to more than 60 recipients in central government. Opening the document triggers a WebDAV connection to download a shortcut, which leads to a DLL drop, shellcode hidden in an image, COM hijacking, and a scheduled task restarting explorer.exe. The operation culminates in deployment of the COVENANT post-exploitation framework and persistent footholds for continued access.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]