A critical zero-day vulnerability in Microsoft Office has been actively exploited by the Russia-affiliated threat group UAC-0001, also known as APT28 This article explores microsoft revealed vulnerability. . The group is using this vulnerability to infect European Union organizations and Ukrainian government agencies with sophisticated malware.

Microsoft revealed the vulnerability, known as CVE-2026-21509, on January 26, 2026, along with alerts regarding active exploitation in the wild. Threat actors weaponized the vulnerability within a day of Microsoft's public disclosure. Quick Exploitation Following Disclosure On January 27, 2026, security researchers discovered a malicious DOC file titled “Consultation_Topics_Ukraine(Final).doc” containing an exploit for CVE-2026-21509.

damage chain (source: CERT-UA) The Committee of Permanent Representatives to the EU (COREPER) consultations on Ukraine served as the document's theme, highlighting the attackers' use of geopolitically relevant social engineering techniques. On January 29, 2026, the Ukrainian Computer Emergency Response Team (CERT-UA) detected a widespread phishing campaign distributing malicious documents purporting to be weather bulletins from the Ukrhydrometeorological Center. Find out more about malware Software that prevents cyberattacks Cybersecurity vulnerability assessment More than sixty email addresses, mostly from Ukrainian central executive bodies, were targeted by the campaign.

Attack Chain and Technical Details When victims open the weaponized document in Microsoft Office, the exploit establishes a network connection to the attacker’s infrastructure via the WebDAV protocol.

Documents containing the exploit's content (source: CERT-UA) The malware downloads a shortcut file with executable code that launches several malicious components, such as shellcode-containing "EhStoreShell.dll" and "SplashScreen.png." By altering Windows registry entries and setting up a scheduled task called "OneDriveHealth" for persistence, the attack makes use of COM hijacking techniques. COVENANT, a sophisticated post-exploitation framework that employs authentic Filen cloud storage (filen.io) for command-and-control communications, is the final payload.

Discover more Zero Trust Network Access solutions exploit Cybersecurity training courses By combining malicious traffic with legitimate cloud service activity, this method aids in avoiding detection. In late January 2026, more malicious documents aimed at EU nations were found.

In one case, attackers registered attack infrastructure domain names on the same day as the attack, indicating rapid operational capabilities. Because of slow patching cycles and users' incapacity to update Microsoft Office installations on time, CERT-UA security experts caution that exploitation attempts are likely to rise. Companies should monitor network connections to FileCloud storage infrastructure, block detected indicators of compromise, and put Microsoft's suggested registry-based mitigations into practice right away.

Opening unsolicited Office documents should be done with extreme caution, especially if they contain administrative or geopolitical themes., LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.