APT28 exploits Microsoft Office CVE-2026-21509

APT28 is poking Microsoft Office again—patch CVE-2026-21509

APT28 is exploiting CVE-2026-21509, a Microsoft Office security feature bypass. The group uses malicious RTF files to trigger the flaw and deliver either a dropper that installs an Outlook stealer (“MiniDoor”) or a loader that fetches a Covenant implant. Targets include organisations in Ukraine and parts of the EU. Microsoft issued an out-of-band patch in late January 2026; defenders should apply fixes, block risky attachment types, and monitor for suspicious Office/RTF activity and network beacons.

Russia-linked APT28 is back with a familiar trick: booby-trapped RTFs. Per THN, the crew is abusing CVE-2026-21509, an Office security bypass, to run a two-pronged attack. One path drops an Outlook credential stealer dubbed MiniDoor; the other pulls down Covenant (a popular red-team/post-exploitation framework) via a loader called PixyNetLoader. Targets: Ukraine and parts of the EU.

Why it lands: RTF remains a handy carrier for exploit chains, and Office’s document trust can be uneven in wild environments.

What to do today:
• Patch immediately—this one got an out-of-band fix from Microsoft.
• Attachment hygiene: block/inspect RTF; strip macros; sandbox high-risk docs.
• EDR detections: watch for Office spawning LOLBins or PowerShell, and for Covenant-style network patterns.
• Email security: strengthen pre-delivery checks; add banners for external senders.
• Identity: enforce MFA with phishing-resistant methods; monitor unusual Outlook token use.

Hygiene that helps tomorrow: harden Office attack-surface reduction rules, deploy Protected View consistently, and keep user training short and regular (phish drills beat posters). CVE numbers change; attacker habits don’t.