top of page
Search

Fancy Bear Returns: APT28 Exploits Office Flaw in "Operation Neusploit"

  • Feb 3
  • 3 min read

Key Findings


  • The notorious Russia-linked threat group APT28 (also known as Fancy Bear) has launched a new campaign dubbed "Operation Neusploit" targeting Central and Eastern Europe.

  • The campaign leverages a recently patched Microsoft Office vulnerability, CVE-2026-21509, to deliver custom backdoors against strategic targets in Ukraine, Slovakia, and Romania.

  • The attack uses specially crafted RTF documents as the initial vector, exploiting the vulnerability to initiate a multi-stage infection chain.

  • The primary payloads deployed are a new implant called MiniDoor, a stripped-down variant of the NotDoor backdoor, and PixyNetLoader, which uses advanced evasion techniques.

  • APT28 has also continued its use of steganography, hiding malicious code inside image files to bypass network defenses.

  • Zscaler ThreatLabz has linked this activity to APT28 with "high confidence" due to significant overlaps in infrastructure and coding style.


Background


  • APT28, also known as Fancy Bear, is a Russia-linked threat group that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including involvement in attacks targeting the 2016 US presidential election.

  • The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

  • In January 2026, Zscaler ThreatLabz uncovered the "Operation Neusploit" campaign targeting Central and Eastern Europe, leveraging the recently disclosed CVE-2026-21509 vulnerability in Microsoft Office.


Exploitation of CVE-2026-21509


  • On January 26, 2026, Microsoft released an out-of-band security update to address the CVE-2026-21509 vulnerability, which was actively being exploited in the wild.

  • The vulnerability is a security feature bypass issue that affects multiple Office versions, allowing an unauthorized attacker to bypass security protections locally.

  • Attackers must send a user a malicious Office file and convince them to open it to exploit the vulnerability.

  • Zscaler observed active exploitation of the vulnerability just three days after the patch was released, highlighting the speed at which state-sponsored actors move.


Delivery and Malware Payloads


  • The attack campaign uses specially crafted RTF documents as the initial infection vector, exploiting CVE-2026-21509 to initiate a multi-stage infection chain.

  • Two distinct attack chains were observed, both dropping either the MiniDoor or PixyNetLoader malware.

  • MiniDoor is a simplified variant of the NotDoor backdoor, primarily focused on stealing and forwarding the victim's emails.

  • PixyNetLoader uses advanced evasion techniques, such as COM hijacking and DLL proxying, to load a .NET Covenant Grunt implant that abuses legitimate APIs for command-and-control.

  • The group has also continued its use of steganography, hiding malicious code inside PNG images to bypass network defenses.


Attribution to APT28


  • Zscaler ThreatLabz has linked this activity to the Russia-aligned APT28 group with "high confidence" based on significant overlaps in infrastructure, tools, and tactics.

  • The targets, which include Ukraine, Slovakia, and Romania, align with APT28's historical focus on Central and Eastern Europe.

  • The use of MiniDoor, a variant of the NotDoor backdoor, and the abuse of the Filen API for command-and-control are also tied to previous APT28 campaigns.

  • The PixyNetLoader attack chain, with its combination of COM hijacking, DLL proxying, and steganography, also mirrors the group's prior tactics.


Conclusion


  • APT28 continues to evolve its tactics, techniques, and procedures (TTPs), as demonstrated by its exploitation of the newly disclosed CVE-2026-21509 vulnerability in Microsoft Office.

  • The group's ability to quickly weaponize and deploy this vulnerability, just days after the patch was released, highlights the ongoing threat posed by state-sponsored actors.

  • Organizations in the targeted regions are urged to stay vigilant and ensure they have installed the latest security updates to protect against this and other emerging threats.


Sources


  • https://securityonline.info/fancy-bear-returns-apt28-exploits-office-flaw-in-operation-neusploit/

  • https://securityaffairs.com/187581/apt/apt28-exploits-microsoft-office-flaw-in-operation-neusploit.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page