Attacks using a recently revealed Microsoft Office security vulnerability have been linked to the Russia-affiliated state-sponsored threat actor APT28 (also known as UAC-0001) as part of a campaign codenamed Operation Neusploit. Three days after Microsoft made the vulnerability public, Zscaler ThreatLabz reported that it had seen the hacker collective use it as a weapon in attacks against users in Slovakia, Romania, and Ukraine on January 29, 2026. The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a Microsoft Office security feature bypass that could be triggered by an unauthorized attacker sending a specially created Office file.

Security researchers Sudeep Singh and Roy Tay stated, "Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries." By using server-side evasion techniques, the threat actor only responded with the malicious DLL when requests came from the targeted geographic area and contained the appropriate User-Agent HTTP header." In a nutshell, the attack chains involve using a malicious RTF file to exploit the security flaw and deliver two distinct dropper versions: PixyNetLoader, which is in charge of deploying a Covenant Grunt implant, and MiniDoor, an Outlook email stealer.

MiniDoor, a C++-based DLL file that steals emails from users' Inbox, Junk, and Drafts folders and forwards them to two hard-coded threat actor email addresses—ahmeclaw2002@outlook[. ]com and ahmeclaw@proton[. ]me—is served by the first dropper.

MiniDoor is assessed to be a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025. The second dropper, PixyNetLoader, on the other hand, is used to start a much more complex attack chain that includes delivering more components that are embedded into it and using COM object hijacking to establish persistence on the host. A shellcode loader ("EhStoreShell.dll") and a PNG image ("SplashScreen.png") are two of the extracted payloads.

The loader's main duty is to decode and run shellcode that is hidden in the image using steganography. However, the loader only initiates its malicious logic when the host process that launched the DLL is "explorer.exe" and the compromised machine is not an analysis environment. If the requirements are not fulfilled, the malware remains dormant.

In the end, an embedded.NET assembly—basically, a Grunt implant connected to the open source.NET COVENANT command-and-control (C2) framework—is loaded using the extracted shellcode. Notably, Sekoia brought attention to APT28's use of the Grunt Stager in September 2025 as part of a campaign called Operation Phantom Net Voxel.

The revelation comes after the Computer Emergency Response Team of Ukraine (CERT-UA) issued a report alerting the public to APT28's misuse of CVE-2026-21509, which involved targeting over 60 email addresses connected to the nation's central executive authorities using Word documents. One of the lure documents was created on January 27, 2026, according to metadata analysis. CERT-UA stated, "During the investigation, it was discovered that opening the document with Microsoft Office results in establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut file name containing program code designed to download and run an executable file."

This in turn sets off an attack chain that is exactly the same as PixyNetLoader, which leads to the Grunt implant of the COVENANT framework being deployed.