- Russian APT28 (Fancy Bear) exploited CVE-2026-21509 in Microsoft Office days after patch release
- Malicious DOC files sent to Ukrainian government agencies via themed phishing lures
- CISA added the flaw to its KEV catalog, urging immediate patching
Russian hackers have attacked Ukrainian government agencies using a high-severity Microsoft Office vulnerability mere days after a patch was released.
On January 26, 2026, Microsoft pushed an emergency fix to address CVE-2026-21509, a reliance on untrusted inputs in a security decision vulnerability, that allows unauthorized attackers to bypass Microsoft Office security features locally. The bug was given a severity score of 7.6/10 (high), and was said to have already been abused in the wild as a zero-day.
Just three days later, Ukraine’s Computer Emergency Response Team (CERT-UA) said it saw cybercriminals mailing dozens of government-related addresses malicious DOC files that were exploiting the flaw. Some were themed around the EU COREPER consultations, while others spoofed the country’s Hydrometeorological Center.
How to defend against APT28
CERT says that the attack is the work of APT28, a Russian state-sponsored threat actor also known as Fancy Bear, or Sofacy. The group is linked with the country’s General Staff Main Intelligence Directorate (GRU).
The researchers based their findings on the analysis of the malware loader used in these attacks. Apparently, it is the same one that was used in a June 2025 attack, in which Signal chats were used to deliver BeardShell and SlimAgent malware to Ukrainian government employees. This attack was confirmed to have been conducted by APT28.
To defend against the attacks, CERT-UA advised government entities (and everyone else, basically) to apply the latest patches and update their Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. Office 2021 users were also reminded to restart their applications after updating, to make sure the patches are applied.
The US Cybersecurity and Infrastructure Security Agency (CISA) already added CVE-2026-21509 to its catalog of known exploited vulnerabilities (KEV).
Those that cannot install the patches should make changes in Windows Registry, as mitigation. Microsoft has provided a step-by-step guide which can be found on this link.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/q9MDh9arRbmRkXvjiD4649-970-80.jpg
Source link
