In a striking display of offensive agility, the Russian-linked state-sponsored hacking collective known as APT28 (or Fancy Bear) has successfully weaponized a critical Microsoft Office vulnerability less than 72 hours after its public disclosure.
The campaign, dubbed “Operation Neusploit” by security researchers, targets government and military entities across Ukraine, Poland, and the Baltic states, signaling a new high-water mark for the speed at which state actors can turn defensive security patches into offensive blueprints.
The 72-Hour Turnaround
The vulnerability, tracked as CVE-2026-21509, was disclosed by Microsoft on January 26, 2026. It involves a flaw in how Office handles Rich Text Format (RTF) documents, allowing an attacker to bypass critical security mitigations like Object Linking and Embedding (OLE) protections.
Metadata recovered from the attackers’ infrastructure suggests the weaponized documents were authored on January 27, just one day after the patch was released. By January 29, the first wave of phishing emails had already hit the inboxes of European diplomats and military personnel.
Sophisticated Phishing and Stealth
According to reports from CERT-UA (Ukraine’s Computer Emergency Response Team), the group used highly localized social engineering lures. These included:
- Fake Diplomatic Circulars: Documents masquerading as EU COREPER (Committee of Permanent Representatives) consultations.
- Weather Alerts: Phishing emails appearing to come from the Ukrainian Hydrometeorological Center.
The technical execution is equally refined. When a victim opens the malicious document, the exploit triggers a multi-stage infection:
- WebDAV Retrieval: The document fetches a malicious library disguised as a system file (
EhStoreShell.dll). - COM Hijacking: The malware modifies the Windows Registry to hijack legitimate system processes.
- Steganography: The final payload—a backdoor known as Covenant Grunt—is hidden within a seemingly harmless image file (
SplashScreen.png).
Shrinking the “Patch Window”
The speed of this attack has alarmed the security community. “The window for organizations to test and deploy patches is effectively gone,” noted one security analyst. “If you aren’t patching critical Office flaws within 48 hours, you are now operating in the ‘danger zone’ for state-sponsored infiltration.”
APT28 also employed server-side filtering, ensuring the malicious payloads were only delivered if the victim’s IP address originated from a specific target country, such as Ukraine or Romania. This technique helps the attackers avoid detection by automated security scanners located in the U.S. or UK.
Top Risk Mitigation Measures
The most effective defense is eliminating the vulnerability entirely.
- For Office 2021/365: A service-side fix is already active; simply restarting the application will apply the protection.
- For Office 2016/2019: These versions require a manual update or the deployment of the January 2026 security patch.
- Checklist: Ensure all endpoints, including remote laptops and unmanaged “bring your own device” (BYOD) hardware, have received the update.
You can view Microsoft’s official mitigations here.