Hackers Actively Exploit Microsoft Office Zero-Day to Deliver Malware - cyberpress.org

Hackers Actively Exploit Microsoft Office Zero-Day to Deliver Malware By AnuPriya February 2, 2026 Categories: Cyber Security NewsCybersecurityMalwareZero-day A sophisticated cyber espionage campaign leveraging a critical zero-day vulnerability in Microsoft Office has targeted Ukrainian government agencies and European Union institutions, security researchers have confirmed. The threat group UAC-0001, widely tracked as APT28 and attributed to Russian military intelligence, deployed advanced malware payloads through weaponized documents exploiting CVE-2026-21509 within hours of Microsoft’s public disclosure. Vulnerability Exploited Within 24 Hours of Disclosure Microsoft published details of CVE-2026-21509 on Monday, January 26, 2026, acknowledging active exploitation of the vulnerability affecting multiple Office product versions. Security analysts from CERT-UA discovered the first weaponized document on January 29, 2026, indicating threat actors had developed functional exploits within 72 hours of the advisory. The malicious file “Consultation_Topics_Ukraine(Final).doc” appeared in the wild with metadata timestamps showing creation on January 27, 2026, at 07:43 UTC, merely one day after Microsoft’s disclosure. The exploitation mechanism operates through specially crafted DOC files that establish network connections to attacker-controlled infrastructure via the WebDAV protocol when opened in vulnerable Microsoft Office installations. The attack sequence downloads a malicious shortcut file containing embedded program code designed to retrieve and execute additional payloads from remote servers. Successful exploitation results in the deployment of multiple components, including a DLL file disguised as “EhStoreShell.dll” masquerading as an Enhanced Storage Shell Extension library, and an image file “SplashScreen.png” containing shellcode. The attack implements COM hijacking techniques by modifying Windows registry values for CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} and establishes persistence through a scheduled task named “OneDriveHealth.” This configuration ensures the malicious DLL loads automatically when the Windows Explorer process restarts, ultimately deploying the COVENANT post-exploitation framework. The threat actors notably leverage legitimate FileCloud storage infrastructure for command-and-control communications, complicating detection efforts. On January 29, 2026, Ukrainian organizations received phishing emails purportedly from the Ukrhydrometeorological Center containing the weaponized document “BULLETEN_H.doc.” The campaign targeted over 60 email addresses primarily belonging to central executive government bodies. CERT-UA researchers identified three additional exploit documents in late January 2026 designed for attacks against European Union entities, with infrastructure analysis revealing one domain registered on January 30, 2026, the same day it was deployed in active operations. CVE Identifier Affected Products Vulnerability Type CVSS Score Exploitation Status CVE-2026-21509 Microsoft Office Products Remote Code Execution Not Available Actively Exploited Security authorities strongly recommend the immediate implementation of Microsoft’s published registry-based mitigations to reduce attack surface exposure. Organizations should disable or monitor network connections to Filen cloud storage infrastructure, including domains under *.filen.net, *.filen.io, and associated IP addresses in the 146.0.41.x range. The rapid weaponization timeline and targeting of government entities suggest the vulnerability will see increased exploitation as organizations face challenges deploying patches across enterprise environments. System administrators should prioritize Office security updates and implement enhanced monitoring for WebDAV protocol connections and suspicious scheduled tasks. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Malicious Browser Extensions Can Steal AI Chats in New “Prompt Poaching” Attack AI March 28, 2026 Fake Certificate Loader Conceals BlankGrabber Malware Chain Cyber Security News March 28, 2026 Open VSX Vulnerability lets malicious extension go live Cyber Security News March 28, 2026 European Commission Confirms Cyberattack After AWS Account Breach AWS March 28, 2026 BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers Cyber Security News March 27, 2026 Related Stories AI Malicious Browser Extensions Can Steal AI Chats in New “Prompt Poaching” Attack Mayura - March 28, 2026 Cyber Security News Fake Certificate Loader Conceals BlankGrabber Malware Chain Mayura - March 28, 2026 Cyber Security News Open VSX Vulnerability lets malicious extension go live Mayura - March 28, 2026 AWS European Commission Confirms Cyberattack After AWS Account Breach Mayura - March 28, 2026 Cyber Security News BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers AnuPriya - March 27, 2026 Cyber Security News VoidLink Rootkit Exploits eBPF and Kernel Modules For Stealth On Linux Varshini - March 27, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: