APT28, the Russian state-sponsored threat group also tracked as Fancy Bear and UAC-0001, has launched a fast-moving cyber-espionage campaign exploiting a newly disclosed Microsoft Office vulnerability.
The campaign began with carefully crafted spear-phishing emails that impersonate trusted government or institutional senders. Each message contained a malicious Office document designed to exploit CVE-2026-21509, a security feature bypass vulnerability in Microsoft Office.
The flaw allows embedded content to execute without standard warnings, meaning code could run as soon as the file was opened with no macros or user interaction required.
Targets included military, maritime, and transportation organizations across several European countries, with a strong focus on public-sector and defense-adjacent entities.
Trellix researchers observed attackers adopting geopolitically relevant themes to increase credibility, including logistics alerts, official invitations, and emergency notifications tied to regional events.
Multi-Stage Infection Designed for Stealthy Tactics
In a new advisory published on Wednesday, the company said once the document was opened, the exploit used standard Windows mechanisms to retrieve additional components over the network.
This initial step installed a lightweight loader that enabled a multi-stage infection chain, eventually delivering memory-resident malware designed to avoid leaving forensic artifacts on disk.
To further evade detection, APT28 relied on legitimate cloud storage tools for command-and-control (C2) traffic. By blending malicious communications into normal encrypted cloud activity, the attackers made it significantly more difficult for defense teams to distinguish threats from everyday enterprise use.
For CISOs and security teams, the incident reinforces several priorities: rapid patch deployment for Office environments, heightened scrutiny of inbound email attachments, and monitoring of anomalous behaviors from Office processes as well as abnormal cloud-based traffic patterns.
The attacks serve to illustrate how the continued evolution of threat actor tactics will require an increased use of layered defenses and faster responses to zero-day vulnerabilities.
