Zero-Day in Microsoft Office Enables Stealthy Malware Infections - gbhackers.com

Zero-Day in Microsoft Office CVE/vulnerabilityCyber Security NewsVulnerability 2 min.Read Zero-Day in Microsoft Office Enables Stealthy Malware Infections By Divya February 2, 2026 Share Facebook Twitter Pinterest WhatsApp Microsoft disclosed a critical zero-day vulnerability in Office products on January 26, 2026, tracked as CVE-2026-21509, with active exploitation in the wild confirmed. The vulnerability enables attackers to deploy sophisticated malware through malicious document files, targeting government organizations and critical infrastructure. Indicator Type Value CVE CVE-2026-21509 Malicious Domains freefoodaid[.]com, wellnesscaremed[.]com, wellnessmedcare[.]org C2 Infrastructure *.filen.net, *.filen.io (146.0.41.204-208, 146.0.41.231-234) Malicious Files BULLETEN_H.doc, Consultation_Topics_Ukraine(Final).doc Persistence Task OneDriveHealth Threat Actor UAC-0001 (APT28) Attack Campaign Emerges Within 48 Hours Security researchers discovered the first weaponized document on January 29, 2026, just three days after Microsoft’s advisory. The malicious file, titled “Consultation_Topics_Ukraine(Final).doc,” masqueraded as European Union COREPER committee materials regarding Ukraine consultations. Metadata analysis revealed the document was created on January 27 at 07:43 UTC, indicating rapid exploit development following the vulnerability disclosure. The same day, threat actors launched a coordinated phishing campaign impersonating Ukraine’s Hydrometeorological Center. The malicious emails, containing a weaponized DOC file named “BULLETEN_H.doc,” were distributed to over 60 email addresses, primarily targeting Ukrainian central executive government agencies. Technical Exploitation Chain Opening the malicious document in Microsoft Office initiates a WebDAV connection to external infrastructure, which downloads a shortcut file containing executable code. Exploitation Chain (source:Ukraine Gov Official) The payload deploys several components, including a DLL file, “EhStoreShell.dll,” disguised as an Enhanced Storage Shell Extension, an image file, “SplashScreen.png,” containing shellcode, and registry modifications that implement COM hijacking via CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}. The malware establishes persistence via a scheduled task named “OneDriveHealth” that terminates and restarts the explorer.exe process. Exploit Content (source:Ukraine Gov Official) This triggers the malicious DLL to execute shellcode from the image file, ultimately deploying the COVENANT post-exploitation framework. The attack infrastructure leverages legitimate cloud storage service Filen (filen.io) for command-and-control communications, complicating detection efforts. Security analysts identified three additional exploit documents in late January 2026, targeting European Union organizations. Analysis of embedded URLs, document structure, and infrastructure patterns suggests attribution to UAC-0001, also tracked as APT28, a Russian state-sponsored threat group. One attack on January 30, 2026, used a domain registered that day, demonstrating the operation’s speed. The rapid weaponization timeline and targeting of government entities indicate coordinated espionage operations. Microsoft recommends immediate Windows registry configuration changes and the application of available security updates. Organizations should monitor or block network connections to FileNet infrastructure and implement enhanced email filtering for Office documents. Exploiting the vulnerability before widespread patch deployment creates an extended risk window. Security teams should prioritize Microsoft Office updates and implement recommended mitigations to prevent compromise. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. Tags cyber security Cyber Security News Vulnerability Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Network Penetration Testing Checklist – 2025 March 2, 2025 0 Network penetration testing is a cybersecurity practice that simulates... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareAntispoofingANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramMore cyber security Handala Hackers Exploit RDP and NetBird in Coordinated Wiper Attacks 0 Handala Hack is an Iranian state-linked destructive actor that... Cyber Attack Cyberattack Hits Poland’s Nuclear Research Center 0 Poland's National Centre for Nuclear Research recently experienced a... Cyber Attack CamelClone Uses Public File-Sharing Sites in Government Cyberattacks 0 A new cyber espionage campaign dubbed Operation CamelClone, targeting... AI Betterleaks Launches as Open-Source Tool for Scanning Files, Directories, and Git Repositories 0 Zach Rice, the original creator of the widely popular... Botnet RondoDox Botnet Scales Up, Exploiting 174 Vulnerabilities via Residential IPs 0 RondoDox is a Mirai‑style botnet that has quickly evolved... cyber security MEA Shipment Phishing Scams Surge, Stealing Banking Data in Real Time 0 Every day, billions of people rely on postal and... Android Google Unveils Android 17 Advanced Protection Mode to Stop Malicious Services 0 Google is preparing to launch Android 17, introducing a... Cyber Security News Google Looker Studio Vulnerabilities Allow Attackers to Exfiltrate Data from Google Services 0 Tenable Research recently uncovered “LeakyLooker,” a critical set of... Related Articles Handala Hackers Exploit RDP and NetBird in Coordinated Wiper Attacks cyber security March 16, 2026 Cyberattack Hits Poland’s Nuclear Research Center Cyber Attack March 16, 2026 CamelClone Uses Public File-Sharing Sites in Government Cyberattacks Cyber Attack March 16, 2026 Betterleaks Launches as Open-Source Tool for Scanning Files, Directories, and Git Repositories AI March 16, 2026 RondoDox Botnet Scales Up, Exploiting 174 Vulnerabilities via Residential IPs Botnet March 16, 2026 Recent News Handala Hackers Exploit RDP and NetBird in Coordinated Wiper Attacks Mayura Kathir - March 16, 2026 Cyberattack Hits Poland’s Nuclear Research Center Divya - March 16, 2026 CamelClone Uses Public File-Sharing Sites in Government Cyberattacks Mayura Kathir - March 16, 2026 Betterleaks Launches as Open-Source Tool for Scanning Files, Directories, and Git Repositories Divya - March 16, 2026 RondoDox Botnet Scales Up, Exploiting 174 Vulnerabilities via Residential IPs Mayura Kathir - March 16, 2026 MEA Shipment Phishing Scams Surge, Stealing Banking Data in Real Time Mayura Kathir - March 16, 2026