Cybersecurity investigators have identified a new cyberattack campaign connected to the Russia-linked hacking group APT28, also known as UAC-0001.
The campaign, named Operation Neusploit, uses a recently discovered Microsoft Office vulnerability called CVE-2026-21509. Security researchers from Zscaler ThreatLabz revealed that the attackers began exploiting the weakness just days after Microsoft publicly disclosed it. The attacks have mainly targeted users in Ukraine, Slovakia, and Romania.
Russian state-sponsored hacking group APT28 used a critical Microsoft Office zero-day vulnerability, tracked as CVE-2026-21509, in less than a day after the vendor publicly disclosed the flaw, launching targeted attacks against Ukrainian government agencies and European Union institutions.
Ukraine’s Computer Emergency Response Team detected exploitation attempts that began on January 27—just one day after Microsoft published details about CVE-2026-21509.
Microsoft had acknowledged active exploitation when it disclosed the flaw on January 26, but details pertaining to the threat actors were withheld and it is still unclear if it is the same or some other exploitation campaign that the vendor meant.
However, the speed at which APT28 deployed customized attacks shows the narrow window defenders have to patch critical.
Exploit Mechanics and Attack Vector
The attack chain begins when an unwitting user opens a malicious document in Microsoft Office. Utilizing the WebDAV protocol, the exploit establishes a connection to external servers, enabling the download of additional malicious payloads. If successfully executed, it creates a DLL file named “EhStoreShell.dll,” disguised as a legitimate component.
This setup allows attackers to manipulate Windows’ registry to ensure malicious code executes alongside trusted Windows processes.
Additionally, the malware sets up a scheduled task called “OneDriveHealth,” ensuring that the malicious code runs periodically, thus maintaining persistence within compromised systems.
