A sophisticated cyber espionage campaign leveraging a critical zero-day vulnerability in Microsoft Office has targeted Ukrainian government agencies and European Union institutions, security researchers have confirmed This article explores vulnerability microsoft. . Within hours of Microsoft's public disclosure, the threat group UAC-0001—also known as APT28 and linked to Russian military intelligence—deployed advanced malware payloads via weaponized documents that exploited CVE-2026-21509.

Vulnerability Taken Advantage of Within 24 Hours of Disclosure On Monday, January 26, 2026, Microsoft released information about CVE-2026-21509, admitting that the vulnerability affecting several Office product versions is currently being exploited. On January 29, 2026, CERT-UA security analysts found the first weaponized document, indicating that threat actors had created functional exploits within 72 hours of the advisory.

Just one day after Microsoft's revelation, the malicious file "Consultation_Topics_Ukraine(Final).doc" surfaced in the wild with metadata timestamps indicating creation on January 27, 2026, at 07:43 UTC. The exploitation mechanism operates through specially crafted DOC files that establish network connections to attacker-controlled infrastructure via the WebDAV protocol when opened in vulnerable Microsoft Office installations. A malicious shortcut file with embedded program code intended to retrieve and run additional payloads from distant servers is downloaded by the attack sequence.

When an exploit is successful, several components are deployed, such as an image file called "SplashScreen.png" that contains shellcode and a DLL file called "EhStoreShell.dll" that poses as an Enhanced Storage Shell Extension library.

The attack implements COM hijacking techniques by modifying Windows registry values for CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} and establishes persistence through a scheduled task named “OneDriveHealth.” When the Windows Explorer process restarts, this configuration makes sure the malicious DLL loads automatically, which eventually launches the COVENANT post-exploitation framework. The threat actors notably leverage legitimate FileCloud storage infrastructure for command-and-control communications, complicating detection efforts. On January 29, 2026, Ukrainian organizations received phishing emails purportedly from the Ukrhydrometeorological Center containing the weaponized document “BULLETEN_H.doc.” More than sixty email addresses, mostly from central executive government agencies, were targeted by the campaign.

Three more exploit documents intended for attacks against European Union entities were discovered by CERT-UA researchers in late January 2026. Infrastructure analysis revealed that one domain was registered on January 30, 2026, the same day it was used in active operations. Affected Products Vulnerability Type CVSS Score Exploitation Status CVE-2026-21509 Microsoft Office Products Remote Code Execution Not Available Actively Exploited Security authorities strongly advise putting Microsoft's published registry-based mitigations into place right away to lessen attack surface exposure.

Network connections to Filen cloud storage infrastructure, including domains under *.filen.net and *.filen.io and related IP addresses in the 146.0.41.x range, should be disabled or monitored by organizations.

The vulnerability is likely to be exploited more frequently as organizations struggle to deploy patches across enterprise environments, as evidenced by the quick weaponization timeline and targeting of government agencies. Office security updates should be given top priority by system administrators, who should also put in place improved monitoring for WebDAV protocol connections and questionable scheduled tasks.