Russian-state hackers exploit Office vulnerability to infect computers

A group of hackers linked to the Russian state has swiftly taken advantage of a significant vulnerability in Microsoft Office, compromising systems within diplomatic, maritime, and transport sectors across numerous countries, according to researchers. The hacking group, known by various names such as APT28, Fancy Bear, and Sofacy, exploited the vulnerability identified as CVE-2026-21509 within just 48 hours of Microsoft issuing an urgent security update last month. After analyzing the patch, the group developed a sophisticated exploit that deployed one of two new backdoor implants designed to evade detection by endpoint security solutions. This operation was meticulously crafted to remain undetectable. Utilizing encrypted payloads that executed solely in memory made the malicious activities particularly challenging to identify. The initial breach stemmed from previously compromised government accounts, which were likely familiar to the targets who received the phishing emails. Additionally, the command and control infrastructures were set up on legitimate cloud services that are often permitted within sensitive networks. Researchers from the security firm Trellix highlighted that this incident underscores the rapid response of state-affiliated actors in weaponizing new vulnerabilities, significantly narrowing the timeframe for defenders to secure critical systems. They noted, “The campaign’s modular infection chain—from initial phishing to in-memory backdoor installation—was carefully engineered to exploit trusted channels like HTTPS and legitimate email communications.” The spear phishing campaign, which spanned 72 hours and began on January 28, utilized at least 29 different email lures targeting organizations in nine countries, primarily in Eastern Europe. The countries specifically named by Trellix include Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, and Bolivia. The attacked organizations comprised 40% defense ministries, 35% transportation and logistics firms, and 25% diplomatic entities.