One campaign, two infection paths: ZScaler found that exploitation of CVE-2026-21509 did not lead to a single uniform payload. Instead, the initial RTF-based exploit branched into two distinct infection paths, each serving a different operational purpose. The choice of dropper reportedly determined whether the attackers prioritized near-term intelligence collection or longer-term access to compromised systems.In one path, the exploit delivered MiniDoor, a lightweight DLL that focused on email theft. The malware modified Windows registry settings to weaken Microsoft Outlook security controls, allowing it to quietly collect and exfiltrate email data to an attacker-controlled infrastructure. The design and functionality of MiniDoor closely resemble earlier APT28 tooling, aligning with the group’s established espionage-focused attacks.The second path involved a more elaborate chain that began with PixyNetLoader, which deployed additional payloads and established persistence using techniques such as DLL proxying and COM object hijacking. This loader ultimately installed a Covenant Grunt implant, used specifically in .NET command and control (c2) framework, giving the attackers sustained remote access through cloud-hosted C2 infrastructure. Mitigation efforts: ZScaler recommended that organizations prioritize patching for CVE-2026-21509, noting that APT28 exploited the flaw within days of Microsoft releasing fixes. Systems running unpatched versions of Microsoft Office remain exposed to weaponized RTF documents that require little user interaction beyond opening the file, significantly raising the risk of compromise in email-driven attack scenarios.For defensive analysis, ZScaler shared GitHub repositories, including the Windows scheduled task configuration file and the MiniDoor macro code, illustrating the attack paths used in Operation Neusploit. Additionally, the disclosure shared a list of indicators of compromise (IOCs) to support detection efforts, which included file hashes, malicious domains, and URLs. CISA had added the flaw to its known exploited vulnerabilities (KEV) database, giving Federal Civilian Executive Branch (FCEB) agencies until February 16 to patch their systems.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4127181/russian-hackers-exploited-a-critical-office-bug-within-days-of-disclosure.html
