Operation Neusploit: APT28 Unleashes New Microsoft Office Exploit in Cyber Espionage Campaign

A sophisticated cyber espionage campaign, codenamed ‘Operation Neusploit,’ has been attributed to the notorious Russia-linked state-sponsored threat actor, APT28 (also known as UAC-0001). This latest offensive leverages a recently disclosed security flaw in Microsoft Office, CVE-2026-21509, to target critical entities in Ukraine, Slovakia, and Romania.

Zscaler ThreatLabz researchers observed APT28 weaponizing this vulnerability on January 29, 2026, a mere three days after Microsoft’s public disclosure. The rapid exploitation underscores the group’s agility and determination to compromise high-value targets across Eastern Europe.

The Vulnerability and Initial Infiltration

The core of Operation Neusploit lies in CVE-2026-21509, a security feature bypass in Microsoft Office with a CVSS score of 7.8. This flaw allows an unauthorized attacker to trigger malicious code by sending a specially crafted Office file. APT28 meticulously crafted social engineering lures, not only in English but also in localized languages—Romanian, Slovak, and Ukrainian—to maximize their chances of success in the targeted countries.

Adding a layer of sophistication, the threat actor employed server-side evasion techniques. Malicious payloads, specifically a dynamic-link library (DLL), were only delivered if requests originated from the intended geographic regions and included the correct User-Agent HTTP header, effectively thwarting generic analysis attempts.

Dual-Pronged Attack: MiniDoor and PixyNetLoader

The attack chains initiated by exploiting CVE-2026-21509 are designed to deploy two distinct, yet equally dangerous, malware droppers via a malicious RTF file:

MiniDoor: The Email Exfiltrator

The first dropper serves MiniDoor, a C++-based DLL specifically engineered to steal emails. This malware systematically siphons messages from a user’s Inbox, Junk, and Drafts folders, forwarding them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is believed to be a streamlined variant of NotDoor (aka GONEPOSTAL), a tool previously documented by S2 Grupo LAB52 in September 2025.

PixyNetLoader: A Masterclass in Evasion and Persistence

The second dropper, PixyNetLoader, orchestrates a far more intricate attack. It delivers additional embedded components and establishes persistence on the compromised host through COM object hijacking. Among its extracted payloads are a shellcode loader (“EhStoreShell.dll”) and a PNG image (“SplashScreen.png”).

The loader’s primary function is to parse and execute shellcode cleverly concealed within the PNG image using steganography. However, PixyNetLoader exhibits a cunning evasion mechanism: its malicious logic only activates if the infected machine is not an analysis environment and if the host process that launched the DLL is “explorer.exe.” Should these conditions not be met, the malware remains dormant, evading detection.

Ultimately, the extracted shellcode loads an embedded .NET assembly, which is identified as a Grunt implant. This implant is a component of the open-source .NET COVENANT command-and-control (C2) framework, a tool APT28 has been observed using before, notably in Sekoia’s September 2025 report on ‘Operation Phantom Net Voxel.’

Echoes of Past Campaigns and Broader Implications

Zscaler confirms significant overlap between the PixyNetLoader infection chain and ‘Operation Phantom Net Voxel.’ While the earlier campaign relied on VBA macros, this new activity substitutes them with a DLL, yet retains core techniques such as COM hijacking for execution, DLL proxying, XOR string encryption, and the embedding of Covenant Grunt and its shellcode loader in a PNG via steganography.

This disclosure is further corroborated by a report from the Computer Emergency Response Team of Ukraine (CERT-UA). They warned of APT28’s parallel abuse of CVE-2026-21509, using malicious Word documents to target over 60 email addresses associated with central executive authorities in Ukraine. Metadata analysis revealed one such lure document was created on January 27, 2026.

CERT-UA’s investigation found that opening these documents triggers a network connection via the WebDAV protocol, leading to the download of a shortcut file containing code designed to fetch and execute an executable. This attack chain mirrors the PixyNetLoader methodology, culminating in the deployment of the COVENANT framework’s Grunt implant.

The relentless and evolving tactics of APT28 highlight the persistent threat posed by state-sponsored actors. Organizations, particularly those in geopolitically sensitive regions, must remain vigilant and prioritize patching known vulnerabilities to defend against such sophisticated cyber espionage efforts.

For more details, visit our website.

Source: Link