"The Russian cyberespionage group APT28 has rushed to add a recently patched Office vulnerability to its arsenal, with the first attacks observed just days after Microsoft announced fixes. The flaw, tracked as CVE-2026-21509, was addressed by Microsoft on January 26. The tech giant warned at the time that the vulnerability had been exploited as a zero-day and urged customers to apply the patches immediately."
"Microsoft initially credited its own security researchers for finding the vulnerability, but later updated its advisory to also credit Google Threat Intelligence Group (GTIG). However, neither Microsoft nor GTIG has released any information on the attacks exploiting CVE-2026-21509. While it remains unclear who exploited the Office vulnerability as a zero-day, Ukraine's computer emergency response team (CERT-UA) and cybersecurity firm Zscaler revealed this week that the flaw was quickly weaponized by Russia's APT28 after its disclosure."
"CVE-2026-21509 can be exploited by tricking the targeted user into opening a specially crafted Office file. While both Zscaler and CERT-UA spotted the first malicious file exploiting the vulnerability on January 29, the Ukrainian agency found evidence that the weaponized document had been created on January 27, the day after Microsoft announced patches for CVE-2026-21509. Since there appears to be no publicly available technical information on the vulnerability, the threat actor likely reverse-engineered Microsoft's patches to develop its exploit."
Russia-linked APT28 rapidly weaponized a recently patched Microsoft Office vulnerability, CVE-2026-21509, and launched attacks within days of the fixes. Microsoft released patches on January 26 and warned the flaw had been exploited as a zero-day. Microsoft and Google Threat Intelligence Group received credit for finding the vulnerability, while neither organization released details of the exploited attacks. CERT-UA and Zscaler observed the first malicious sample on January 29 and found a weaponized document created January 27. The exploit likely resulted from reverse-engineering the Microsoft patch. Zscaler linked the campaign to APT28 based on victimology and TTPs and observed a dropper delivering additional malware including MiniDoor.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]