Russian-state hackers moved swiftly to exploit a critical vulnerability in Microsoft Office, compromising devices within diplomatic, maritime, and transport organizations across more than half a dozen countries, according to researchers. The threat group, known under aliases such as APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy, targeted the flaw designated as CVE-2026-21509 within 48 hours of Microsoft issuing an urgent, unscheduled security update late last month.
After reverse-engineering the patch, the group developed an advanced exploit that deployed one of two previously unseen backdoor implants. The campaign was engineered to evade endpoint protection through stealth, speed, and precision. The exploits and payloads were encrypted and operated in memory, making detection challenging. Initial infections originated from compromised government accounts in multiple nations, likely familiar to the targeted email recipients.
Command and control infrastructure utilized legitimate cloud services, which are often allow-listed within sensitive networks. Researchers from Trellix noted, “The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems.” They added, “The campaign’s modular infection chain—from initial phish to in-memory backdoor to secondary implants was carefully designed to leverage trusted channels (HTTPS to cloud services, legitimate email flows) and fileless techniques to hide in plain sight.”
A 72-hour spear phishing operation commenced on January 28, delivering at least 29 distinct email lures to organizations in nine countries, with a focus on Eastern Europe. Trellix identified eight of these nations: Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, and Bolivia. Targeted entities included defense ministries (40 percent), transportation and logistics operators (35 percent), and diplomatic bodies (25 percent).
