Russian state-linked hackers from the APT28 group — also known as Fancy Bear, Sofacy, and Strontium — are actively exploiting a recently patched Microsoft Office vulnerability (CVE-2026-21509) in targeted phishing attacks against government and public sector organizations across Eastern and Central Europe.

The Office flaw was patched by Microsoft on January 26, 2026, after being marked as an actively exploited zero-day. However, within just days of the update’s release, threat actors began distributing weaponized documents designed to exploit the vulnerability and deliver multiple malware components.

What’s Happening

Ukraine’s Computer Emergency Response Team (CERT-UA) first identified malicious Office documents exploiting the recently patched flaw on January 29, 2026 — only three days after the emergency update. These booby-trapped files were themed around European Union consultations and other government-related subjects to increase likelihood of opening.

Once a user opens one of these malicious documents, the exploit triggers a WebDAV-based download chain that abuses COM hijacking to load a malicious DLL (EhStoreShell.dll), execute shellcode embedded in an image (SplashScreen.png), and ultimately deploy a Covenant framework implant on the compromised machine.

CERT-UA and security researchers attribute the campaign to the Russia-linked APT28 group — notorious for sophisticated espionage and targeting government, defense, and critical infrastructure.

Technical Summary

How the Attack Works

The attackers use social engineering lures embedded in emails to entice targets to open malicious Office files. These files exploit the patched vulnerability by circumventing security mitigations and initiating a remote download sequence.

Once opened, the malicious document establishes a WebDAV connection that pulls down a payload. Through COM hijacking and scheduled task manipulation, the exploit loads a malicious DLL, which in turn triggers embedded shellcode and installs the Covenant command-and-control framework — a flexible platform often used for remote access and data exfiltration.

Evidence suggests multiple documents with similar exploit chains have been used against various EU-based organizations, indicating a broader campaign beyond Ukraine alone.

Recommendations for Organizations

Security teams should:

• Apply Microsoft’s emergency patch for CVE-2026-21509 immediately across all affected Office products. For Office 2021 and later, ensure users restart applications so that updates take effect.

• Implement registry-based mitigations as outlined by original advisories when patching isn’t feasible right away.

• Enable Defender’s Protected View to block malicious files from untrusted sources by default.

• Harden email defenses to flag and quarantine suspicious attachments tied to geopolitical or sector-specific lures.

Bottom Line

This incident highlights the speed at which advanced threat actors can weaponize publicly disclosed vulnerabilities — even soon after patches are released. Organizations that delay patch deployment or don’t enforce application restarts remain at high risk of compromise.

Summary: Microsoft Teams’ new Report a Call feature gives users a way to flag suspicious calls as potential scams or phishing attempts, empowering organizations to spot and respond to emerging threats. Rolling out from mid-March 2026, this addition enhances voice-based threat visibility and strengthens overall Teams security posture.