APT28 Exploits MSHTML Zero-Day Ahead of February 2026 Patch Tuesday - cyberpress.org

APT28 Exploits MSHTML Zero-Day Ahead of February 2026 Patch Tuesday By AnuPriya March 2, 2026 Categories: Cyber Security NewsCybersecurityZero-day Microsoft’s February 2026 Patch Tuesday fixed 59 flaws, but CVE-2026-21513 in the MSHTML framework stole the spotlight. This security bypass vulnerability hit all Windows versions, earned a CVSS score of 8.8, and saw active exploitation in the wild by APT28, Russia’s state-sponsored hackers. Akamai researchers used PatchDiff-AI to dissect the patch and link it to real attacks. Vulnerability Breakdown CVE-2026-21513 hides in ieframe.dll, part of Internet Explorer. It has flaws in hyperlink navigation logic, letting attackers slip past browser safeguards. Weak URL checks feed malicious input to ShellExecuteExW, which runs local or remote files outside the sandbox. Attackers bypass Mark of the Web (MotW) and IE Enhanced Security Configuration (IE ESC) using nested iframes and DOM tricks. A malicious .LNK file, flagged on VirusTotal January 30, 2026, kicks it off. It embeds HTML that phones home to wellnesscaremed[.]com, tied to APT28. JavaScript like document.Script.open("http:///", "_parent") In iframes dodges warnings, triggers _AttemptShellExecuteForHlinkNavigate, and drops payloads. This works via any MSHTML host, not just IE, think phishing emails or embedded controls. MITRE tactics: T1204.001 (User Execution: Malicious File) and T1566.001 (Phishing: Spearphishing Attachment). CVE ID CVSS Score Affected Component Exploitation Status Patch Date Attribution CVE-2026-21513 8.8 (High) ieframe.dll (MSHTML) Actively exploited Feb 2026 Patch Tuesday APT28 (Russia) Microsoft added strict protocol checks (file://, http://, https://) to keep actions in-browser, blocking ShellExecuteExW abuse. Full mitigation demands the update. Apply patches now via Microsoft’s guide. Hunt for IOCs below. Tools like Akamai Hunt flag T1204.001 and T1566.001 patterns. Key IOCs SHA256: aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa (document.doc.LNK) Domain: wellnesscaremed[.]com Expect more vectors beyond LNK phishing. PatchDiff-AI speeds root-cause hunts demo at RSAC 2026. Stay vigilant against APT28’s campaigns. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Hackers Weaponize DOCX, RTF, JavaScript, and Python In Boeing RFQ Attack Cyber Security News April 2, 2026 NoVoice Campaign On Google Play Puts Millions Of Android Users At Risk Android April 2, 2026 CISA Alerts on Chrome Zero-Day Exploit Actively Used in Attacks Cyber Security News April 2, 2026 Apple Rolls Out iOS 18.7.7 to Counter DarkSword Exploit Threat Apple April 2, 2026 New ZAP PTK Add-On Converts Browser Security Findings into Native ZAP Alerts Cyber Security News April 2, 2026 Related Stories Cyber Security News Hackers Weaponize DOCX, RTF, JavaScript, and Python In Boeing RFQ Attack Varshini - April 2, 2026 Android NoVoice Campaign On Google Play Puts Millions Of Android Users At Risk Varshini - April 2, 2026 Cyber Security News CISA Alerts on Chrome Zero-Day Exploit Actively Used in Attacks AnuPriya - April 2, 2026 Apple Apple Rolls Out iOS 18.7.7 to Counter DarkSword Exploit Threat AnuPriya - April 2, 2026 Cyber Security News New ZAP PTK Add-On Converts Browser Security Findings into Native ZAP Alerts AnuPriya - April 2, 2026 Cyber Attack Axios npm Supply Chain Attack Prompts Microsoft Mitigation Guidance Varshini - April 2, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: