Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of a new wave of targeted cyberattacks exploiting a critical Microsoft Office vulnerability (CVE-2026-21509) disclosed on January 26, 2026. The attacks target Ukrainian government institutions and organizations across the European Union.
According to CERT-UA, the flaw was weaponized within a day of Microsoft’s disclosure. Malicious documents themed around EU consultations on Ukraine were distributed via phishing emails masquerading as official messages from the Ukrainian Hydrometeorological Center. More than 60 government email addresses were targeted.
Opening the infected documents allowed attackers to gain remote access, install persistent malware, and deploy the COVENANT command-and-control (C&C) framework. The attackers abused legitimate cloud storage service Filen for their infrastructure, Ukrainian cybersecurity agency noted.
CERT-UA expects the number of attacks to rise as many users have yet to apply security updates. Organizations are strongly advised to implement Microsoft’s recommended mitigations ASAP and closely monitor or block traffic to Filen-related infrastructure linked to the campaign.