A Russia-linked state-sponsored hacking group known as APT28 (also tracked as UAC-0001) has been linked to a new wave of cyberattacks exploiting a recently disclosed vulnerability in Microsoft Office, according to findings from Zscaler ThreatLabz. The report follows a security alert from Ukraine’s cybersecurity authorities detailing likely the same campaign.
The campaign, dubbed Operation Neusploit, was observed on January 29, 2026, just three days after Microsoft revealed the flaw. The vulnerability, tracked as CVE-2026-21509, is a security feature bypass that allows attackers to trigger malicious behavior using specially crafted Office files.
Zscaler researchers said the attacks targeted users in Ukraine, Slovakia, and Romania, using localized social engineering lures tailored to each region. The threat actor also employed server-side evasion techniques, delivering malicious payloads only when requests originated from specific geographic regions and used the correct User-Agent strings.
The attack chain begins with a malicious RTF file that exploits the Office vulnerability to deploy one of two droppers. One dropper installs MiniDoor, an Outlook email stealer that harvests messages from folders such as Inbox, Junk, and Drafts, forwarding them to attacker-controlled email accounts. MiniDoor is believed to be a more simple variant of the previously documented NotDoor (GONEPOSTAL) malware.
The second dropper, known as PixyNetLoader, establishes persistence through COM object hijacking and extracts additional components, including a shellcode loader and a PNG image containing hidden payloads. Using steganography, the loader extracts and executes shellcode from the image, but only if the system is not an analysis environment and the launching process is explorer.exe.
The final stage delivers a Covenant Grunt implant, part of the open-source Covenant command-and-control (C&C) framework. Zscaler noted strong similarities between this activity and APT28’s earlier Operation Phantom Net Voxel, observed in 2025.