Fancy Bear, a group of hackers with ties to Russia, has launched Operation Neusploit, a cunning cyberattack This article explores vulnerability microsoft rtf. . They steal emails from targets in Central and Eastern Europe by taking advantage of a new zero-day vulnerability in Microsoft RTF files, CVE-2026-21509.

This campaign was discovered by Zscaler ThreatLabz researchers, who confidently connected it to the infamous APT28 group. Tricked-out documents in English, Romanian, Slovak, and Ukrainian were used to attack users in Slovakia, Romania, and Ukraine. On January 26, 2026, Microsoft released an urgent patch. However, a few days later, on January 29, hackers began utilizing the vulnerability in actual attacks.

The objective? Get sensitive Outlook emails by breaking in through backdoors and avoiding detection. How the Attack Takes Place Phishing emails that contain booby-trapped RTF files are sent to victims.

These files cause a Microsoft RTF parsing bug (CVE-2026-21509) when they are opened. This enables attackers to execute code on the Windows computer of the victim. A malicious DLL dropper is then extracted from a hacker's server by the exploit.

When a request originates from a target country and contains certain browser headers, the server uses smart evasion to send the malicious file; outsiders are unsuccessful. There are two types of droppers. MiniDoor, a slim C++ tool, is the first plant. It modifies registry settings to reduce macro guards and uses XOR decryption to crack open Outlook's VBA project.

It conceals itself in the startup folder of the application. MiniDoor monitors for logins and new mail as soon as Outlook launches.

In addition to tracking and avoiding duplicates, it scans folders like Inbox and Drafts, bundles emails, and silently forwards them to hacker addresses without making copies in the Sent folder. PixyNetLoader is dropped in the second version. This unloader decrypts payloads such as a task scheduler file, a phony EhStoreShell.dll, and a stego-hidden shellcode in a PNG image.

It loads malicious code into explorer.exe by taking over a legitimate Windows COM object and using it to proxy calls to the actual DLL. The load is forced by a brief task restart. EhStoreShell.dll checks for sandboxes with sleep timings, then pulls shellcode from the PNG using LSB steganography. The open-source Covenant C2 framework's Covenant Grunt implant.NET tool is launched by the shellcode.

Grunt hides commands in XORed Base64 strings and calls home using the Filen API. The Defenses and Performance History of Fancy Bear Fancy Bear, also known as APT28, is associated with Russia’s GRU Unit 26165. They have been spying on governments, military forces, NATO allies, and critics all over the world since 2007.

Past hits used X-Agent, Zebrocy, and zero-days in Office and Flash. These links include PNG stego from previous operations, COM tricks, matching targets, and NotDoor echoes in MiniDoor. Apply a patch now: Download Microsoft's CVE-2026-21509 update. Keep an eye out for RTF lures from dubious sources.

Tools such as PolySwarm, which lists IOC samples, prevent Filen API abuse and check Outlook for rogue registry changes.