APT28 exploited CVE-2026-21509 in Microsoft Office less than 48 hours after a patch was released. The vulnerability allowed the attackers to compromise devices within diplomatic, maritime, and transport organizations. After reverse-engineering the patch, the group developed an advanced exploit to install novel backdoor implants. The campaign utilized compromised government accounts for initial infection and legitimate cloud services for command and control, making detection difficult.
Russian-state hackers wasted no time exploiting a critical Microsoft Office vulnerability that allowed them to compromise the devices inside diplomatic, maritime, and transport organizations in more than half a dozen countries, researchers said Wednesday. The threat group, tracked under names including APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy, pounced on the vulnerability, tracked as CVE-2026-21509, less than 48 hours after Microsoft released an urgent, unscheduled security update late last month, the researchers said. After reverse-engineering the patch, group members wrote an advanced exploit that installed one of two never-before-seen backdoor implants. Stealth, speed, and precision The entire campaign was designed to make the compromise undetectable to endpoint protection. Besides being novel, the exploits and payloads were encrypted and ran in memory, making their malice hard to spot. The initial infection vector came from previously compromised government accounts from multiple countries and were likely familiar to the targeted email holders. Command and control channels were hosted in legitimate cloud services that are typically allow-listed inside sensitive networks. Read full article Comments