Russia's infamous APT28 cyber-espionage group has started abusing a recently patched Microsoft vulnerability to steal emails and launch malicious payloads against organizations in Central and Eastern Europe, providing the most recent example of how quickly attackers can take advantage of newly revealed vulnerabilities This article explores apt28 cyber espionage. . Microsoft hurriedly released an out-of-cycle patch for CVE-2026-21509, a security feature bypass vulnerability in Microsoft Office, on January 26 after verifying active zero-day exploitation.

The vulnerability was added to the database of known exploited vulnerabilities at the time by the US Cybersecurity and Infrastructure Security Agency (CISA). ## Quick Exploit Three days later, on Jan., Zscaler researchers claim that APT28 started taking advantage of the vulnerability.

Related: WorldLeaks Extortion Group Says It Stoled 1.4 TB of Zscaler's Nike Data According to Desai, exploiting CVE-2026-21509 would have required medium to high effort on the part of APT28. There isn't any evidence that other groups have been able to successfully exploit the vulnerability, at least not yet, but that might change soon. "It is very likely that other threat actors will use the proof-of-concepts (PoCs) that some researchers have made public for CVE-2026-21509 as weapons in actual attacks."

Reduce as soon as possible To reduce the risk of a breach, he advises companies to install Microsoft's patch for the vulnerability as soon as possible.

Xcape senior security engineer Noelle Murata described APT28's turnaround time for exploiting CVE-2026-21509 as "absurd." According to Morata, "the attack uses classic techniques with a modern twist: WebDAV downloads, COM hijacking, shellcode hidden in PNGs, and the Covenant framework using Filen cloud storage for C2." Office needs to be updated and restarted right away by organizations.