Russian state-sponsored hackers quickly weaponized a newly patched Microsoft Office flaw to target organizations in nine countries. The group, known as APT28, used spear-phishing emails to install stealthy backdoors in diplomatic, defense, and transport entities. Security researchers at Trellix attributed the attacks with high confidence to this notorious cyber espionage unit.
On January 28, 2026, a 72-hour spear-phishing campaign began, delivering at least 29 distinct email lures to organizations across nine countries, including Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, and Bolivia. The targets primarily included defense ministries (40 percent), transportation and logistics operators (35 percent), and diplomatic entities (25 percent). The attackers exploited CVE-2026-21509, a critical Microsoft Office vulnerability patched in an urgent, unscheduled update late the previous month. Less than 48 hours after the patch, the hackers reverse-engineered it to create an advanced exploit that installed one of two novel backdoors: BeardShell or NotDoor.
The campaign was engineered for stealth and speed. Initial infections came from previously compromised government email accounts, likely familiar to recipients. Exploits and payloads were encrypted and executed in memory, evading endpoint detection. Command-and-control channels used legitimate cloud services, often allow-listed in sensitive networks.
BeardShell provided full system reconnaissance, persistence by injecting into Windows svchost.exe processes, and enabled lateral movement, leaving no disk-based artifacts beyond memory traces from code injection. NotDoor, deployed as a VBA macro after disabling Outlook's security controls, monitored folders like Inbox, Drafts, Junk Mail, and RSS Feeds. It bundled emails into .msg files sent to attacker-controlled accounts on filen.io, then deleted them using a custom 'AlreadyForwarded' property and 'DeleteAfterSubmit' flag to avoid detection in high-privilege accounts.
"The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems," Trellix researchers wrote. The firm attributed the operation to APT28—also tracked as Fancy Bear, Sednit, Forest Blizzard, and Sofacy—with high confidence, citing technical indicators, targets, and tradecraft like multi-stage malware and cloud service abuse. Ukraine's CERT-UA linked it to UAC-0001, corresponding to APT28, known for cyber espionage and influence operations.
Trellix provided indicators of compromise for organizations to check for infections.
