EXECUTIVE SUMMARY:
Operation Neusploit is a targeted cyber campaign attributed to the advanced persistent threat group APT28, focusing on the exploitation of a critical Microsoft Office vulnerability, CVE-2026-21509. The operation demonstrates a well-coordinated attack strategy designed to compromise victims through malicious document delivery and silent exploitation. Attackers rely on specially crafted RTF files that trigger remote code execution when opened, without requiring users to enable macros or interact with security prompts. This significantly increases the success rate of the attack and lowers user suspicion. The campaign employs socially engineered email lures written in multiple regional languages to improve credibility and engagement among targeted recipients. Once the malicious document is opened, the vulnerability is abused to download and execute additional payloads from attacker-controlled infrastructure. The activity shows strong indicators of deliberate targeting and operational planning, aligning with APT28’s historical focus on espionage-driven objectives. The campaign reflects a broader trend of threat actors rapidly weaponizing newly disclosed vulnerabilities to gain early access advantages before widespread defensive controls are fully deployed.
The infection chain in Operation Neusploit begins with a weaponized RTF document that exploits CVE-2026-21509 to initiate execution of a malicious DLL hosted on external infrastructure. Two primary execution paths were observed. In one path, the dropper deploys a malicious Outlook-focused component known as MiniDoor, which manipulates registry settings to weaken security controls and persist within the Outlook environment. This implant automates the collection and exfiltration of emails from multiple mailbox folders, enabling long-term surveillance of victim communications. The second execution path involves a more complex multi-stage loader called PixyNetLoader. This loader establishes persistence using COM object hijacking and scheduled tasks, then decrypts and launches additional payloads. One of these payloads is hidden within an image file using steganography, allowing shellcode to be extracted and executed in memory. This ultimately results in the deployment of a Covenant-based implant that enables interactive command-and-control access. The use of encrypted payloads, fileless execution, and layered persistence mechanisms highlights the campaign’s emphasis on stealth and resilience.
Operation Neusploit underscores the continued evolution of APT28’s operational capabilities and its ability to rapidly integrate vulnerability exploitation into active campaigns. By leveraging a Microsoft Office flaw rather than relying on traditional macro-based delivery, the attackers effectively bypass common defensive controls and user awareness measures. The campaign’s modular design, which includes lightweight email-stealing components, advanced loaders, and memory-resident implants, allows the threat actor to adapt post-exploitation actions based on the value of the compromised environment. Techniques such as steganography, registry abuse, and COM hijacking further complicate detection and forensic analysis. The operation also highlights the importance of monitoring document-based exploitation behavior and abnormal DLL execution patterns rather than focusing solely on known malware signatures. From a defensive perspective, this activity reinforces the need for rapid vulnerability remediation, robust endpoint monitoring, and detection strategies capable of identifying exploitation chains and anomalous process behavior. Overall, Operation Neusploit represents a highly targeted malware campaign that blends exploitation, persistence, and covert data access into a single, tightly integrated attack framework.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1203 | Exploitation for Client Execution | - |
| T1059 | Command and Scripting Interpreter | - | |
| T1106 | Native API | - | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1546.015 | Event Triggered Execution | COM Hijacking |
| T1548 | Abuse Elevation Control Mechanism | - | |
| Defense Evasion | T1027 | Obfuscated Files or Information | - |
| T1218 | System Binary Proxy Execution | - | |
| T1140 | Deobfuscate/Decode Files or Information | - | |
| Credential Access | T1555 | Credentials from Password Stores | - |
| Discovery | T1082 | System Information Discovery | - |
| Collection | T1114.001 | Email Collection | Local Email Collection |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1203 | Exploitation for Client Execution |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Command and Control | B0030 | C2 Communication |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
REFERENCES:
The following reports contain further technical details:
https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit