Russian Military Hackers Exploit Microsoft Office Zero-Day to Target Ukrainian Government

Russian military hackers are actively exploiting a recently patched Microsoft Office vulnerability to target Ukrainian government agencies and European organizations. The attacks, attributed to APT28 (also known as Fancy Bear), use malicious emails impersonating Ukrainian government services to deliver sophisticated malware.

The vulnerability, tracked as CVE-2026-21509, was classified as an actively exploited zero day on January 26, 2026. While Microsoft has released patches, the attacks continue against organizations that have not yet updated their systems.

If your organization uses Microsoft Office, you should update immediately.

Who Is APT28

APT28 is one of the most sophisticated and persistent threat actors in the world. The group operates under Russia's General Staff Main Intelligence Directorate (GRU), the military intelligence agency of the Russian Federation.

The group has been active since at least 2004 and is responsible for some of the highest profile cyberattacks in history, including the 2016 Democratic National Committee hack, the 2015 German Bundestag attack, and numerous operations against NATO member states.

Their focus on Ukrainian targets has intensified since 2022, with continuous campaigns against government agencies, critical infrastructure, and military organizations.

How the Attack Works

The campaign begins with phishing emails designed to appear legitimate. Initial attacks used emails impersonating the Ukrainian Hydrometeorological Center, sent to over 60 government related addresses. The emails contain malicious attachments that exploit the Office vulnerability.

When a victim opens the malicious document, the attack proceeds through several stages:

1. A WebDAV based download chain initiates, fetching additional malicious components
2. A malicious DLL file (EhStoreShell.dll) is installed through COM hijacking
3. Shellcode embedded in an image file executes on the system
4. A scheduled task restarts explorer.exe to load the malicious components
5. The COVENANT malware framework establishes persistent access

The attack uses Filen cloud storage service for command and control communications, allowing malicious traffic to blend with legitimate cloud service usage.

The COVENANT Framework

COVENANT is a malware loader framework that APT28 has used in previous operations. Once installed, it provides attackers with persistent access to compromised systems and the ability to deploy additional malicious tools.

Past campaigns using COVENANT have delivered BeardShell and SlimAgent malware, which provide capabilities for data exfiltration, credential theft, and lateral movement within compromised networks.

The framework's modular design means attackers can adapt their tools based on what they find in each target environment, making the full scope of the threat difficult to assess.

Expanding Target List

While Ukrainian government entities remain the primary targets, CERT-UA reports indicate the campaign has expanded to target EU based organizations. European government agencies, think tanks, and organizations involved in Ukraine related policy work face elevated risk.

The expansion beyond Ukrainian targets follows APT28's established pattern of targeting organizations that support Ukraine or oppose Russian interests. Previous campaigns have targeted defense contractors, diplomatic missions, and media organizations across Europe and North America.

Journalists, activists, and researchers covering the conflict should be particularly vigilant about unexpected emails containing Office attachments.

How to Protect Yourself

Microsoft has released security updates that address CVE-2026-21509. Organizations should immediately apply patches for:

• Office 2016
• Office 2019
• Office LTSC 2021
• Office LTSC 2024
• Microsoft 365 Apps

For systems where immediate patching is not possible, Microsoft's Protected View provides defense by blocking untrusted Office files from executing active content. Ensure Protected View is enabled and instruct users not to bypass its warnings.

Additional defensive measures include blocking connections to Filen cloud storage at the network level if your organization does not use the service, and implementing strict email filtering for Office attachments from external senders.

Indicators of Compromise

Organizations should monitor for the presence of the malicious DLL file EhStoreShell.dll, unexpected scheduled tasks that restart explorer.exe, and network connections to Filen cloud storage (filen.io) from systems that should not be using the service.

Security teams should also review recent phishing emails claiming to be from Ukrainian government services, particularly those with Office document attachments.

CERT-UA continues to publish updated indicators of compromise as the campaign evolves. Organizations in potentially targeted sectors should subscribe to their alerts for the most current threat intelligence.

State Sponsored Threats Require State Level Defenses

APT28's continued exploitation of zero day vulnerabilities demonstrates that state sponsored threat actors have resources and capabilities that far exceed typical cybercriminal groups. They can discover and weaponize vulnerabilities before patches are available, and they have the patience to maintain long term operations against high value targets.

For organizations that might be targeted by nation state actors, standard security practices are necessary but not sufficient. Defense in depth strategies, network segmentation, and robust monitoring become essential when facing adversaries of this caliber.

The current campaign serves as a reminder that geopolitical conflicts now routinely include cyber dimensions. Organizations connected to sensitive policy areas, journalism, or activism face threats from sophisticated state actors who see cyberattacks as a legitimate tool of statecraft.