Critical Microsoft Office Zero-Day Exploited by Russian Hackers to Deploy Sophisticated Malware
A critical zero-day vulnerability in Microsoft Office, identified as CVE-2026-21509, is being actively exploited by the Russian-linked threat group UAC-0001, also known as APT28. This group is deploying sophisticated malware targeting Ukrainian government entities and European Union organizations.
Rapid Exploitation Following Disclosure
Microsoft disclosed the vulnerability on January 26, 2026, warning of active exploitation in the wild. Within 24 hours, threat actors had weaponized the flaw. On January 27, 2026, security researchers discovered a malicious DOC file titled Consultation_Topics_Ukraine(Final).doc containing an exploit for CVE-2026-21509. The document was themed around consultations of the Committee of Permanent Representatives to the EU (COREPER) regarding Ukraine, demonstrating the attackers’ use of geopolitically relevant social engineering tactics.
By January 29, 2026, the Ukrainian Computer Emergency Response Team (CERT-UA) detected a widespread phishing campaign distributing malicious documents purporting to be weather bulletins from the Ukrhydrometeorological Center. This campaign targeted over 60 email addresses, primarily belonging to Ukrainian central executive bodies.
Attack Chain and Technical Details
When victims open the weaponized document in Microsoft Office, the exploit establishes a network connection to the attacker’s infrastructure via the WebDAV protocol. The malware downloads a shortcut file containing executable code that deploys multiple malicious components, including EhStoreShell.dll and SplashScreen.png, which contain shellcode.
The attack leverages COM hijacking techniques by modifying Windows registry entries and creates a scheduled task named OneDriveHealth for persistence. The final payload is COVENANT, a sophisticated post-exploitation framework that uses legitimate Filen cloud storage (filen.io) for command-and-control communications. This approach helps evade detection by blending malicious traffic with legitimate cloud service activity.
Additional malicious documents targeting EU countries were discovered in late January 2026. In one case, attackers registered attack infrastructure domain names on the same day as the attack, indicating rapid operational capabilities.
Mitigation and Recommendations
CERT-UA security experts warn that exploitation attempts are likely to increase due to slow patching cycles and users’ inability to update Microsoft Office installations promptly. Organizations should immediately implement Microsoft’s recommended registry-based mitigations, monitor network connections to FileCloud storage infrastructure, and block identified indicators of compromise.
Users should exercise extreme caution when opening unsolicited Office documents, particularly those with geopolitical or administrative themes.
