Russian-linked hacking group Fancy Bear (APT28) has reportedly exploited a recently disclosed vulnerability in Microsoft Office to conduct cyber-attacks against Ukrainian and EU organizations.
The warning was published on February 2 by the Computer Emergency Response Team of Ukraine (CERT-UA), the country’s national cyber threat intelligence unit.
CVE-2026-21509 Exploited Before Disclosure
Specifically, CERT-UA reported the finding of a Word DOC file named ‘Consultation_Topics_Ukraine(Final).doc’ on January 29. The file contained an exploit for CVE-2026-21509, a high-severity vulnerability (with a CVSS 3.1 score of 7.8) affecting several versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024 and Microsoft 365 Apps for Enterprise.
Disclosed by Microsoft on January 26, the flaw is an over-reliance on untrusted inputs in a security decision in Microsoft Office.
When exploited, it can enable an attacker to bypass object linking and embedding (OLE) mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable component object model (COM) and OLE controls.
Microsoft confirmed in its security advisory that it had detected evidence of exploitation in the wild. The tech firm urged customers running Microsoft Office 2016 and 2019 to ensure the update is installed to be protected.
Customers running Office 2021 and later will be automatically protected via a service-side change but will be required to restart their Office applications for this to take effect.
“Given the likely delay (or inability) of users to update Microsoft Office or apply recommended security measures, the number of cyber-attacks exploiting this vulnerability is expected to increase,” the CERT-UA report noted.
Fancy Bear’s CVE-2026-21509 Exploit Chain
The .doc file identified by CERT-UA was related to consultations of the Committee of Permanent Representatives (COREPER) of the EU regarding the situation in Ukraine.
Metadata indicated that the file was created in the morning of January 27, the day after Microsoft’s vulnerability disclosure.
On the same day, CERT-UA said it received reports from partners about emails purportedly coming from the Ukrainian Hydrometeorological Center (UkrHMC), containing another file attachment named ‘BULLETEN_H.doc.’
The email was sent to over 60 addresses, primarily belonging to central executive authorities of Ukraine.
Further CERT-UA analysis revealed that opening the document using Microsoft Office triggered a network connection to an external resource via the WebDAV protocol, followed by the download of a file disguised as a shortcut (LNK) containing malicious code designed to download and execute a payload.
Successful execution resulted in the following actions:
- The creation of a DLL file "EhStoreShell.dll" (masquerading as the "Enhanced Storage Shell Extension" library)
- The creation of an image file with shellcode ‘SplashScreen.png’
- The modification of the registry path for CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} (implementing COM hijacking)
- A scheduled task named ‘OneDriveHealth’
Execution of these tasks results in the termination and restart of the explorer.exe process, which loads the ‘EhStoreShell.dll’ file – through a technique called component object model (COM) hijacking.
This DLL file executes the shellcode from the image file, ultimately launching the Covenant framework on the compromised system.
Covenant is a .NET-based command and control (C2) framework designed for offensive cybersecurity and red teaming exercises.
CERT-UA also highlighted that, since Covenant relies on the legitimate cloud storage service Filen for C2 infrastructure, organizations who believe they could be targeted by Fancy Bear in this way should block or at least closely monitor network interactions with nodes of this cloud storage service.
In late January 2026, three additional documents with the same exploit were identified, targeting organizations in EU countries.
CERT-UA urged implementing the mitigation measures outlined in Microsoft’s advisory, particularly regarding Windows registry configurations.