Russian-state hackers wasted no time in exploiting a critical Microsoft Office vulnerability that allowed them to compromise devices inside diplomatic, maritime and transportation organizations in more than half a dozen countries, researchers said Wednesday.
The threat group, tracked with names like APT28, Fancy Bear, Sednit, Forest Blizzard and Sofacy, pounced on the vulnerability, tracked as CVE-2026-21509, less than 48 hours after Microsoft released an urgent, unscheduled security update late last month, researchers said. After reverse-engineering the patch, group members wrote an advanced exploit that installed one of two never-before-seen backdoor exploits.
Stealth, speed, and accuracy
The entire campaign was designed to make the compromise invisible to endpoint security. In addition to being novel, the exploits and payloads were encrypted and ran in memory, making their maliciousness difficult to detect. The initial infection vector came from previously compromised government accounts in several countries and were likely familiar to the targeted email holders. Command and control channels were hosted in legitimate cloud services that are usually allow-listed inside sensitive networks.
“The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, reducing the ability for defenders to patch critical systems,” researchers at security firm Trelix wrote. “The campaign’s modular infection chain – from initial phish to in-memory backdoor to secondary implant was carefully designed to leverage trusted channels (HTTPS to cloud services, legitimate email flows) and fileless technologies to hide in plain sight.”
The 72-hour spear phishing campaign began on January 28 and targeted organizations in nine countries, primarily Eastern Europe, with at least 29 different emails. Trelix named eight of them: Poland, Slovenia, Türkiye, Greece, the United Arab Emirates, Ukraine, Romania and Bolivia. The targeted organizations were ministries of defense (40 percent), transportation/logistics operators (35 percent), and diplomatic institutions (25 percent).
<a href