APT28 Weaponizes Microsoft Office Zero-Day Within 24 Hours, Targets Ukraine and EU with Covenant Backdoor

Russian state-sponsored hacking group APT28 weaponized a critical Microsoft Office zero-day vulnerability within 24 hours of public disclosure, launching targeted attacks against Ukrainian government agencies and European Union institutions.

Ukraine's Computer Emergency Response Team (CERT-UA) detected exploitation attempts beginning January 27 — just one day after Microsoft published details about CVE-2026-21509. Microsoft had acknowledged active exploitation when disclosing the flaw but withheld threat actor attribution.

CERT-UA attributes the campaign to UAC-0001, its designation for APT28 (also tracked as Fancy Bear and Forest Blizzard), a group operating on behalf of Russia's GRU military intelligence agency.

Campaign Details

CERT-UA discovered a malicious document titled "Consultation_Topics_Ukraine(Final).doc" containing the CVE-2026-21509 exploit on January 29. Metadata shows attackers created the file on January 27 at 07:43 UTC — hours after disclosure. The document masqueraded as materials related to Committee of Permanent Representatives consultations on Ukraine.

On the same day, attackers impersonated Ukraine's Ukrhydrometeorological Center, distributing emails with an attached "BULLETEN_H.doc" file to more than 60 email addresses targeting Ukrainian central executive government agencies.

Three additional malicious documents using similar exploits were identified in late January targeting EU organizations. In one case, attackers registered a domain on January 30 and deployed it in attacks the same day.

Exploitation Chain

The attack executes when victims open malicious documents in Microsoft Office:

1. The exploit establishes WebDAV connections to external resources
2. A shortcut file downloads and executes additional payloads
3. The malware drops EhStoreShell.dll (disguised as "Enhanced Storage Shell Extension") and SplashScreen.png (containing shellcode)
4. COM hijacking modifies Windows registry values for a specific CLSID identifier
5. A scheduled task named "OneDriveHealth" executes periodically, terminating and relaunching Explorer
6. Explorer loads the malicious DLL due to COM hijacking, executing shellcode from the image file
7. The Covenant post-exploitation framework deploys with Filen.io cloud storage as C2

Using legitimate cloud infrastructure for command-and-control makes malicious traffic appear normal and harder to detect.

Remediation

Microsoft released an emergency patch for CVE-2026-21509. CERT-UA recommends:

• Apply Microsoft's emergency fix immediately
• Implement registry modifications outlined in Microsoft's advisory to prevent exploitation
• Block or monitor network connections to Filen.io infrastructure
• Review CERT-UA's IOC list for domain names and IP addresses associated with the campaign

CERT-UA warns that exploitation will increase due to patch deployment delays and users unable to update Microsoft Office.

MITRE ATT&CK

T1203 — Exploitation for Client Execution Malicious Office documents exploiting CVE-2026-21509

T1546.015 — Component Object Model Hijacking Registry modifications to load malicious DLL via Explorer

T1053.005 — Scheduled Task "OneDriveHealth" task for persistence and payload execution

T1140 — Deobfuscate/Decode Files Shellcode hidden in SplashScreen.png image file

T1102 — Web Service Filen.io cloud storage abused for C2 infrastructure