Operation Neusploit: Russia’s APT28 Strikes with Lightning-Fast Microsoft Office Hack
Subtitle: In just days, Russian state hackers weaponized a fresh Microsoft Office flaw-targeting Eastern Europe with stealthy malware and email theft.
On a cold January morning in 2026, security teams across Europe awoke to a chilling discovery: a familiar adversary had returned, armed with a brand-new weapon. Within 72 hours of Microsoft’s emergency patch for a dangerous Office vulnerability, Russia-linked APT28-also known as Fancy Bear-had already transformed it into a precision cyber-espionage tool. Their campaign, dubbed Operation Neusploit, targeted Ukraine, Slovakia, and Romania, using native-language lures and some of the most sophisticated malware tricks in the book.
Inside the Attack: How APT28 Weaponized a Zero-Day
Researchers at Zscaler ThreatLabz first detected the Neusploit operation in late January, linking it with “high confidence” to APT28-a group notorious for its speed in exploiting fresh software flaws. The vulnerability in question, CVE-2026-21509, lurked within Microsoft Office’s OLE (Object Linking and Embedding) feature. By simply opening a maliciously crafted file, victims unwittingly handed attackers control of their machines.
The attack began with a specially crafted Rich Text Format (RTF) document. Once opened, the document triggered the Office flaw and downloaded a dropper-a small program that installs further malware. Two variants were observed:
- MiniDoor: Specifically designed to target Microsoft Outlook, this malware quietly disabled security warnings, enabled automatic macros, scanned inboxes, and exfiltrated emails to Russian-controlled addresses-all while erasing its tracks.
- PixyNetLoader: A more sophisticated loader, it concealed its code inside a seemingly innocuous PNG image using steganography. It also checked for signs of analysis and, if detected, would refuse to run-thwarting security researchers.
The ultimate objective? Deploying the Covenant Grunt backdoor, a tool originally intended for penetration testing. Once installed, this implant gave APT28 full remote access, allowing them to control infected systems and exfiltrate stolen data through Filen.io, a legitimate cloud service that masked their traffic as normal internet activity.
Context: A Familiar Foe with New Tricks
APT28’s fingerprints were unmistakable. Known for high-profile hacks from the DNC to anti-doping agencies, the group’s rapid exploitation of CVE-2026-21509 shows how nation-state actors blend classic techniques-like phishing and COM hijacking-with modern stealth, such as hiding code in images and abusing cloud storage for command-and-control.
Security experts warn that while APT28 was first out of the gate, proof-of-concept code is now circulating, making it likely that other threat actors will soon follow suit. Microsoft’s patch, released in an emergency update, is critical-but only effective if organizations apply it and restart their Office apps. Monitoring for unusual Filen.io traffic and tightening registry settings are also recommended defenses.
Conclusion: The Race Between Hackers and Defenders
Operation Neusploit is a stark reminder that in the world of cyber warfare, speed is everything. As soon as a vulnerability is revealed-even with a patch-threat actors like APT28 can move at breakneck pace, turning software flaws into digital weapons. For defenders, vigilance, rapid patching, and a skeptical eye toward email attachments remain the best shields against the next wave of attacks.
WIKICROOK
- Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
- Dropper: A dropper is a type of malware that secretly installs additional malicious programs on an infected device, helping attackers bypass security measures.
- Steganography: Steganography hides secret messages or code within everyday files, like images or audio, making the hidden information difficult to detect.
- Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
- Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.




