State-linked Russian hackers moved quickly to exploit a critical Microsoft Office flaw, using it to breach devices at diplomatic, maritime, and transport organizations in more than half a dozen countries, researchers reported Wednesday.
The threat group—tracked under names such as APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy—hit the vulnerability, identified as CVE-2026-21509, less than 48 hours after Microsoft pushed an urgent, unscheduled security update late last month, the researchers said. After reverse-engineering the patch, the actors developed a sophisticated exploit that deployed one of two previously unseen backdoor implants.
Stealth, speed, and precision
The operation was designed to evade endpoint detection. The novel exploits and payloads were encrypted and executed in memory, making their malicious activity difficult to detect. Initial access stemmed from government accounts already compromised in multiple countries and thus likely familiar to the email recipients. Command-and-control channels ran through legitimate cloud services that are commonly allow-listed within sensitive networks.
“The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems,” the researchers, with security firm Trellix, wrote. “The campaign’s modular infection chain—from initial phish to in-memory backdoor to secondary implants—was carefully designed to leverage trusted channels (HTTPS to cloud services, legitimate email flows) and fileless techniques to hide in plain sight.”
The 72-hour spear-phishing campaign began January 28 and delivered at least 29 distinct email lures to organizations in nine countries, primarily in Eastern Europe. Trellix named eight of them: Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, and Bolivia. Organizations targeted were defense ministries (40 percent), transportation/logistics operators (35 percent), and diplomatic entities (25 percent).
