Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
In recent days, APT28 , a well-known Russian-linked hacker group, has intensified its attacks by exploiting a vulnerability in Microsoft Office. The flaw, classified as CVE-2026-21509, was disclosed by Microsoft a few days before the campaign began.
The main targets were users in Ukraine, Slovakia and Romania , hit through seemingly harmless files.
The bug, with a CVSS score of 7.8, allows remote code execution via specially crafted RTF files. The attackers implemented geofencing measures, serving the malware only if requests came from the target countries. The phishing emails contained text in the local language and English, increasing the likelihood of being opened.
The first payload distributed is MiniDoor, a lightweight malware written in C++ that collects and sends emails from various folders to attacker-controlled servers. MiniDoor is a scaled-down version of GONEPOSTAL, also known as NotDoor, which has been observed in previous campaigns.
The second dropper is PixyNetLoader, which enables persistence via COM hijacking. This loader downloads additional payloads, including a PNG file containing XOR-encrypted shellcode, which is then executed as malicious code. The chain concludes with the loading of a Grunt implant based on the Covenant framework, granting continuous access to the compromised system.
The techniques used include encryption, DLL proxies, and environmental controls to prevent sandboxing or automated analysis. The campaign is reminiscent of the previous Operation PhantomNet, observed by Zscaler in September 2025, in terms of its sophisticated attack methodologies.
CERT-UA has confirmed the abuse of the CVE-2026-21509 vulnerability and detected malicious documents distributed via emails targeting government agencies. Opening RTF files triggers WebDAV connections to external servers, which deliver subsequent payloads, replicating the PixyNetLoader chain.
This strategy demonstrates how APT28 has evolved its techniques, from old VBA macros to current DLL droppers and encrypted shellcode. The precision in targeting and the use of regional controls demonstrate a targeted and sophisticated approach, far removed from typical random attacks.
According to Zscaler ThreatLabz, the combined use of MiniDoor and PixyNetLoader creates a complete espionage ecosystem, capable of continuously collecting sensitive information.
Attacks like this highlight the importance of regularly updating software and maintaining a high level of vigilance for suspicious files. Even seemingly innocuous documents can conceal advanced cyber espionage tools.
The campaign demonstrates the growing sophistication of APT groups and the importance of multi-layered defense strategies. Digital security requires constant vigilance, awareness, and up-to-date tools, because the real risk is no longer a random intrusion, but a surgical and targeted attack.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
