In a notable display of cyber agility, the Russia-linked threat group APT28, also known as Fancy Bear, proved just how quickly advanced attackers can move. Within 48 hours of Microsoft publicly disclosing a critical Office vulnerability, the group had already turned it into a live attack campaign, now referred to as Operation Neusploit.
On January 26, 2026, Microsoft released an emergency security patch for CVE-2026-21509, a security feature bypass flaw affecting multiple Office versions, including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. While patches are designed to protect users, they can also reveal technical clues. In this case, attackers quickly analyzed the fix, identified the underlying weakness, and built a working exploit within a day.
The attack relied on carefully crafted phishing emails carrying malicious Rich Text Format (RTF) documents. Many of these emails impersonated legitimate regional organizations, including Ukraine’s Hydrometeorological Center, making them appear trustworthy and increasing the chances of victims opening the files.
Unlike noisy, large-scale cybercrime campaigns that cast a wide net, Operation Neusploit was highly targeted. The attackers focused on government and diplomatic organizations in Ukraine, Slovakia, and Romania, targets that carry strategic value rather than financial gain. The phishing emails were carefully crafted, written in both English and local languages, making them feel routine, official, and regionally relevant enough to avoid immediate suspicion.
Once a victim opened the malicious document, a multi-stage infection process began. The file triggered a WebDAV network connection to download a malicious DLL. This DLL then deployed one of two malware tools. MiniDoor focused on harvesting and exfiltrating emails from Outlook environments, while PixyNetLoader enabled the deployment of a Covenant Grunt implant, allowing attackers to maintain remote access and control over compromised systems.
To avoid detection, attackers used server-side filtering, ensuring payloads were only delivered to systems in specific geographic regions and with particular HTTP header characteristics. This reduced the chances of discovery by security researchers.
The campaign highlights a growing cybersecurity challenge, the shrinking gap between vulnerability disclosure and active exploitation. Organizations must prioritize rapid patching, strengthen phishing awareness, and invest in advanced threat detection. As cyber threats evolve, becoming proactive and preparedness are becoming just as important as prevention.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
