Fancy Bear Hackers Exploiting Microsoft Zero-Day Vulnerability to Deploy Backdoors and Email Stealers - CybersecurityNews

Home Cyber Security News Fancy Bear Hackers Exploiting Microsoft Zero-Day Vulnerability to Deploy Backdoors and Email... The Russia-linked cyber espionage group known as Fancy Bear has launched Operation Neusploit. The group is also known as APT28. This marks a significant escalation, leveraging a zero-day vulnerability, CVE-2026-21509, in Microsoft RTF files. By exploiting this flaw, attackers execute arbitrary code on victim systems, deploying dangerous backdoors and email stealers. The campaign targets organizations in Central and Eastern Europe, posing a severe threat to government and military sectors in the region. The attack distributes malicious RTF documents via phishing emails using social engineering lures written in English, Romanian, Slovak, and Ukrainian. The primary targets are in Ukraine, Slovakia, and Romania. Attackers designed these documents to be highly convincing, often mimicking official government documents, increasing the likelihood victims trigger the exploit. Polyswarm analysts identified the malware, noting its capability to bypass traditional security measures. It employs evasion techniques, checking for specific User-Agent strings and verifying geographic locations before delivering the payload. If conditions are met, the chain downloads a malicious dropper DLL, installing further malicious components. Once compromised, the impact is severe. The malware steals sensitive information directly from Microsoft Outlook. It monitors email activity, saves messages, and exfiltrates them to attacker-controlled servers. Additionally, the malware establishes a persistent connection to a command-and-control server, allowing attackers to maintain long-term access and execute further commands. This communication is often encrypted to avoid detection. Infection Mechanism and Persistence The infection involves two dropper DLL variants. The first variant deploys MiniDoor, a tool that modifies registry keys to downgrade Outlook security and extract an encrypted script to steal emails. The second variant introduces PixyNetLoader, which drops payloads like a PNG file hiding malicious shellcode using steganography. To ensure persistence, attackers use COM hijacking. They register their malicious file under a legitimate name, forcing the OS to load it when Explorer restarts. This sophisticated mechanism allows the malware to survive reboots and continue its espionage activities undetected. This technique makes detection extremely difficult for defenders. Attribute Details CVE Identifier CVE-2026-21509 Vulnerability Type RTF Parsing Flaw / Arbitrary Code Execution Affected Component Microsoft RTF (Rich Text Format) File Parser Associated Campaign Operation Neusploit Threat Actor Fancy Bear (APT28, Sofacy, Sednit) Patch Release Date January 26, 2026 (Out-of-band update) Active Exploitation First detected in the wild on January 29, 2026 Attack Vector Phishing emails containing specially crafted malicious RTF attachments Target Geographies Central and Eastern Europe (specifically Ukraine, Slovakia, and Romania) Impact Deployment of backdoors (MiniDoor, PixyNetLoader) and email stealers Organizations should immediately apply the patch for CVE-2026-21509. Security teams must monitor network traffic for the specific User-Agent strings and indicators of compromise associated with Operation Neusploit. It is also crucial to update email security gateways to filter out malicious RTF attachments. Security professionals should also consider blocking RTF files entirely if they are not needed for business operations. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI Installer Cyber Security News Fake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader Cyber Security News New ACRStealer Variant Uses Syscall Evasion, TLS C2 and Secondary Payload Delivery Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026