APT28 Hackers Exploit Microsoft Office Zero-Day In Active Malware Campaign - cyberpress.org

APT28 Hackers Exploit Microsoft Office Zero-Day In Active Malware Campaign By Varshini February 3, 2026 Categories: APTCyber Security NewsZero-day Russia-linked hackers from APT28 have launched a sneaky attack called Operation Neusploit. In January 2026, Zscaler ThreatLabz spotted them using crafted RTF files to exploit a zero-day flaw in Microsoft Office, CVE-2026-21509. This hits users in Central and Eastern Europe, like Ukraine, Slovakia, and Romania. The goal? Drop backdoors for spying and stealing data. Microsoft patched it out-of-band on January 26, but exploits kept going until at least January 29. APT28, known for targeting governments and stealing secrets, used social engineering lures in English, Romanian, Slovak, and Ukrainian. They hid malicious DLLs behind server checks only serving them from targeted regions with the right User-Agent header. Two dropper variants lead to either MiniDoor, an email stealer, or PixyNetLoader, which deploys a Covenant Grunt implant. MiniDoor Email Theft The first variant drops MiniDoor, a simple C++ DLL that plants a malicious Outlook VBA project. It creates a mutex “adjgfenkbe” to avoid duplicates and decrypts its payload with XOR keys like 0x3a. It builds the folder %appdata%\Microsoft\Outlook, writes VbaProject.OTM, and tweaks registry keys to load macros automatically and disable warnings. Subkey Value Name Value Description HKCU\Software\Microsoft\Office\16.0\Outlook\Security Level 1 Enables all macros Software\Microsoft\Office\16.0\Outlook\Options\General PONT_STRING 0x20 Disables content warnings Software\Microsoft\Office\16.0\Outlook LoadMacroProviderOnBoot 1 Loads macro on Outlook start Once Outlook logs in, MiniDoor scans Inbox, RssFeeds, Junk, and Drafts. It forwards unread emails as .msg attachments to ahmeclaw2002@outlook.com and ahmeclaw@proton.me, marks them as sent, and handles new mail events. It’s a stripped-down cousin of NotDoor, APT28’s earlier tool. PixyNetLoader Chain This complex chain starts with PixyNetLoader DLL, which checks for EhStoreShell.dll in %programdata%\USOPublic\Data\User. If missing, it decrypts payloads with a long XOR key and drops files. Location Size (bytes) Description %programdata%\Microsoft OneDrive\setup\Cache\SplashScreen.png 0x39649 Stego-hidden shellcode %programdata%\USOPublic\Data\User\EhStoreShell.dll 0x36200 Shellcode loader %temp%\Diagnostics\office.xml 0xDE4 Scheduled task config It hijacks COM via registry for persistence in explorer.exe, then sets a “OneDriveHealth” task to restart explorer and delete itself. EhStoreShell.dll proxies legit exports, evades sandboxes with Sleep() checks and process validation, and extracts shellcode from PNG pixels using LSB steganography. The shellcode loads a .NET Covenant Grunt via CLR hosting, which phones home over Filen API as a C2 bridge. Zscaler pins this on APT28 due to matching victim regions, MiniDoor’s NotDoor roots, Filen C2 abuse from past campaigns like Phantom Net Voxel, and TTPs like COM hijacking and DLL proxying. Evasion includes mutexes, dynamic API hashing (DJB2), and time-based checks. Apply Microsoft’s January 26 patch for CVE-2026-21509. Zscaler blocks these via sandbox detections like RTF.Exploit.CVE-2026-21509 and Win32.Spyware.MiniDoor. Key file IOCs (select hashes; full list on Zscaler GitHub): Hash (MD5/SHA1/SHA256) Filename Description 95e59536455a089ced64f5af2539a449 / … / b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546 Consultation_Topics_Ukraine(Final).doc RTF exploit f3b869a8d5ad243e35963ba6d7f89855 / … / a944a09783023a2c6c62d3601cbd5392a03d808a6a51728e07a3270861c2a8ee 2_2.d MiniDoor dropper MITRE mappings include T1566.001 (spearphishing), T1203 (exploitation), T1546.015 (COM hijacking), and T1114 (email collection). Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles NPM Menace Exposes Hugging Face As Backend For Data Theft and Malware Delivery Cyber Security News April 23, 2026 DPRK Cyber Spies Infiltrate Global Companies via Fake Job Scams, Sidestepping U.S. Sanctions Cyber Security News April 23, 2026 Vercel Confirms Security Breach After Customer Accounts Were Compromised Cyber Security News April 23, 2026 GitLab Security Update Patches Multiple Vulnerabilities Allowing Session Hijacks Cyber Security News April 23, 2026 Lazarus Hackers Weaponize AI In Sneaky Coding Challenge Attacks On Devs Cyber Attack April 23, 2026 Related Stories Cyber Security News NPM Menace Exposes Hugging Face As Backend For Data Theft and Malware Delivery Varshini - April 23, 2026 Cyber Security News DPRK Cyber Spies Infiltrate Global Companies via Fake Job Scams, Sidestepping U.S. Sanctions Varshini - April 23, 2026 Cyber Security News Vercel Confirms Security Breach After Customer Accounts Were Compromised AnuPriya - April 23, 2026 Cyber Security News GitLab Security Update Patches Multiple Vulnerabilities Allowing Session Hijacks AnuPriya - April 23, 2026 Cyber Attack Lazarus Hackers Weaponize AI In Sneaky Coding Challenge Attacks On Devs Varshini - April 23, 2026 Cyber Security News Hackers Hijack YouTube and Fake Wallpaper App To Unleash notnullOSX Malware Onslaught Varshini - April 23, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: