The hacker group APT28, linked to Russian military intelligence, has begun exploiting a recently discovered vulnerability in Microsoft Office to carry out cyberattacks on government agencies in Ukraine and European Union countries, according to The Record.
Ukraine’s Computer Emergency Response Team (CERT-UA) reported that the attackers, also known as Fancy Bear, BlueDelta, and Forest Blizzard, began exploiting the security flaw CVE-2026-21509 almost immediately after Microsoft disclosed it in early January. The hackers targeted more than 60 email addresses, most of which belong to government agencies.
During the ongoing campaign, researchers identified malicious Microsoft Office documents disguised as official communications from the Ukrainian Hydrometeorological Center. Opening these files installed the Covenant malware. While Covenant was originally designed for legitimate security testing, hackers increasingly use it for criminal purposes. Cybersecurity firm Zscaler confirmed that attacks have been recorded not only in Ukraine but also in Slovakia and Romania. To deceive government employees, phishing messages were prepared in both English and local languages.
Experts identified two main attack chains:
- Exploiting the vulnerability to install MiniDoor, which collects victims’ email addresses and sends them to the attackers’ servers.
- Installing the PixyNetLoader dropper, which ultimately deploys the Covenant implant into the system.
APT28 has been active for over twenty years and has significantly stepped up operations since Russia’s full-scale invasion of Ukraine. German authorities previously accused the group of attacking the national air traffic management company, and in May of last year, the hackers targeted mail servers of defense ministries in Eastern Europe.
Although Microsoft released a patch to fix the vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already listed it among the most frequently exploited vulnerabilities. CERT-UA experts warn that cyberattack intensity will continue to increase if users and organizations delay applying the necessary security updates. Timely system updates remain the only reliable way to protect against Russian state-sponsored hackers on the digital front.
