Fancy Bear Weaponizes Microsoft Office Zero-Day in Espionage Campaign

Russia-linked advanced persistent threat group APT28, also known as Fancy Bear, has launched a sophisticated espionage campaign exploiting CVE-2026-21509, a critical zero-day vulnerability in Microsoft Office. Microsoft released emergency patches on January 26, 2026, but within three daysby January 29security researchers confirmed active in-the-wild exploitation targeting organizations across Central and Eastern Europe, including Ukraine, Slovakia, and Romania.

The vulnerability carries a CVSS score of 7.8 (High severity) and affects multiple Microsoft Office versions: Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. The flaw stems from improper handling of Rich Text Format (RTF) files, allowing attackers to bypass critical security controls without triggering user warnings.

Security researchers have attributed this campaign to Operation Neusploit, a coordinated espionage operation that leverages weaponized Office documents as a stealthy entry point. The attack begins innocuously: victims receive phishing emails containing specially crafted RTF files with innocuous-sounding namessuch as "Consultation_Topics_Ukraine(Final).doc"designed to appear legitimate.

When a user opens the malicious document, the Office application improperly parses the RTF file, triggering code execution without requiring macros or additional user interaction. This exploit then downloads a dropper DLL from attacker-controlled infrastructure, initiating a multi-stage infection chain.

Researchers identified two distinct attack variants in Operation Neusploit. Both deploy malicious payloads including MiniDoor, a sophisticated Outlook Visual Basic for Applications (VBA) project designed to steal email communications. MiniDoor lowers macro security settings and silently forwards victims' emails to attacker-controlled addresses, enabling long-term intelligence collection without detection.

Additional payloads observed include PixyNetLoader and other backdoors that establish persistent command-and-control (C2) infrastructure. Notably, the threat actors leverage Filen, a legitimate cloud storage service, for C2 communicationsa technique that helps evade traditional network-based defenses.

The speed of exploitation is alarming. Microsoft disclosed the vulnerability on January 26; by January 29, APT28 had weaponized it in live campaigns. This three-day window demonstrates how quickly nation-state actors can operationalize newly disclosed flaws. For organizations, the implications are severe: unpatched systems remain vulnerable to email-driven attacks requiring minimal user interaction beyond opening a file.

The targeting of EU institutions and Eastern European governments underscores the geopolitical dimension of this campaign. CERT-UA warned that "given the likely delay (or inability) of users to update Microsoft Office or apply recommended security measures, the number of cyber-attacks exploiting this vulnerability is expected to increase."

Microsoft's advisory recommends urgent action: apply the latest Office security updates addressing CVE-2026-21509 across all endpoints immediately. Additionally, organizations should monitor network traffic for connections to Filen cloud storage nodes and implement Windows registry configurations outlined in Microsoft's official guidance.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch by February 16, 2026. This designation reflects the severity and active exploitation status.

Consider a diplomat at a European ministry receiving an email titled "COREPER Consultation TopicsUkraine (Final).doc" from what appears to be an official source. Opening the attachment triggers silent exploitation, installing MiniDoor without any visible error or warning. Within hours, the attacker gains access to the victim's email archive, potentially exposing sensitive diplomatic communications, negotiation strategies, and intelligence assessments.

This incident reflects a broader trend: Microsoft products accounted for 41 zero-day vulnerabilities last year, with 24 actively exploited in the wild. Office components remain a primary attack vector heading into 2026. Organizations must adopt a zero-trust approach to email attachments, implement application whitelisting, and maintain rigorous patch management disciplines. The convergence of sophisticated social engineering, legitimate cloud services for C2, and stealthy backdoors demonstrates that traditional perimeter defenses are insufficient against state-sponsored threats.