To conduct cyberattacks against organizations in Ukraine and the European Union, the Russian state-sponsored hacking group Fancy Bear (APT28) has been exploiting a recently disclosed vulnerability in Microsoft Office.
According to the Computer Emergency Response Team of Ukraine (CERT-UA), the country’s national cyber threat intelligence unit, the researchers identified the threat after discovering a Word file named “Consultation_Topics_Ukraine(Final).doc.”
The document was supposedly dedicated to the consultations of the Committee of Permanent Representatives to the EU (COREPER) on the situation in Ukraine.
The file contained an exploit for CVE-2026-21509, a high-severity vulnerability (with a CVSS score of 7.8) affecting several versions of Microsoft Office.
Disclosed by Microsoft on January 26th, the flaw is an over-reliance on untrusted inputs in a security decision in Microsoft Office.
When exploited, it can enable an attacker to bypass object linking and embedding (OLE) mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable component object model (COM) and OLE controls, CERT-UA said.
Simply put, the vulnerability is a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it. That’s what happened – the day after Microsoft’s vulnerability disclosure.
Indeed, Microsoft confirmed in its security advisory that it had detected evidence of exploitation in the wild. The tech firm urged customers running Microsoft Office 2016 and 2019 to ensure the update is installed to be protected.
In late January 2026, three additional documents targeting organizations in EU countries, such as Slovakia and Romania, with the same exploit were identified by Zscaler ThreatLabz researchers who are tracking the campaign as Operation Neusploit.
APT28, also known as Fancy Bear, has been active worldwide since at least 2004, primarily in the field of cyberespionage.
“Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries,” security researchers Sudeep Singh and Roy Tay said.
“The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.”
APT28, also known as Fancy Bear, has been active worldwide since at least 2004, primarily in the field of cyberespionage.
According to Germany’s domestic intelligence agency, it is one of the most active and dangerous cyberactors worldwide. APT28 reports to Russia’s military intelligence agency GRU.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked