Russia-linked attackers abuse new Microsoft Office zero-day • The Register

Russia-linked attackers are already exploiting Microsoft’s newest Workplace zero-day, with Ukraine’s nationwide cyber protection group warning that the identical bug is getting used to focus on authorities companies contained in the nation and organizations throughout the EU.

In an alert published on Sunday, CERT-UA says the exercise is being pushed by UAC-0001, higher often called “APT28” or “Fancy Bear”, and hinges on CVE-2026-21509, a safety function bypass bug in Microsoft Workplace that Microsoft disclosed last week alongside a warning that attackers had been already exploiting it within the wild.

In accordance with CERT-UA, the primary weaponized doc surfaced simply days after Microsoft sounded the alarm concerning the flaw. A file titled “Consultation_Topics_Ukraine(Closing).doc” appeared publicly on January 29 and was themed round EU discussions on Ukraine. File metadata reveals it was created on January 27 — the day after Microsoft revealed particulars of the flaw — a turnaround time that implies the exploit chain was already ready and ready.

That very same day, Ukrainian incident responders had been alerted to a parallel phishing marketing campaign impersonating official correspondence from the Ukrhydrometeorological Heart. Greater than 60 recipients, principally throughout central authorities our bodies, acquired emails carrying a malicious DOC attachment. Opening the file in Workplace quietly initiates a WebDAV connection to an exterior server, downloads a shortcut file, and makes use of it as a launchpad for additional malware.

From there, the attackers drop a DLL masquerading as a professional Home windows element and stash shellcode inside what seems to be a innocent picture file. They then set up persistence by way of COM hijacking and a scheduled activity that restarts explorer.exe, making certain the malicious code is reloaded. Most customers would discover little out of the unusual, however the attackers now have a foothold they’ll return to.

The top result’s the deployment of the COVENANT post-exploitation framework, and the attackers route their site visitors via a professional cloud storage service, which helps it mix in as on a regular basis noise fairly than one thing clearly hostile. CERT-UA has suggested defenders to watch Filen-related site visitors intently or block it outright the place doable.

The marketing campaign has not been confined to Ukraine. Within the last days of January, CERT-UA recognized three extra malicious paperwork utilizing the identical exploit chain and concentrating on organizations in EU member states. In a single case, the area serving the payload was registered on the very day it was used, underlining how briskly the attackers are biking via infrastructure.

Microsoft now has patches out, together with for older Workplace builds that originally sat in limbo, however CERT-UA continues to be not optimistic about how shortly they will land. 

“It’s apparent that within the close to future, together with because of the inertia of the method or impossibility of customers updating the Microsoft Workplace suite and/or utilizing advisable safety mechanisms, the variety of cyberattacks utilizing the described vulnerability will start to extend,” CERT-UA warned. ®