Race Against the Clock: Russian Hackers Exploit Microsoft Office Flaw in Stealthy Espionage Blitz

Before most IT teams could even digest Microsoft’s latest vulnerability warning, a notorious Russian-linked hacking group had already turned the flaw into a weapon. In a chilling example of cyber warfare’s speed and sophistication, government agencies across Ukraine and the European Union found themselves targeted by expertly crafted malware - delivered through the very Office documents many rely on daily.

Fast Facts

• Zero-day vulnerability CVE-2026-21509 in Microsoft Office exploited less than 24 hours after public disclosure.
• Attack attributed to APT28 (UAC-0001), a group linked to Russian military intelligence.
• Weaponized documents sent to Ukrainian government and EU institutions via phishing emails.
• Malware payloads use legitimate cloud storage and advanced persistence techniques to evade detection.
• Microsoft and security agencies urge immediate mitigations and heightened monitoring.

Inside the Attack: How Hackers Turned Disclosure into Disaster

On January 26, 2026, Microsoft published details of a critical flaw affecting multiple Office products. By the next morning, attackers had weaponized the vulnerability, crafting malicious DOC files that exploited the weakness to seize control of targeted systems. The infamous APT28 group - known for its ties to Russian military intelligence - spearheaded the campaign, focusing on Ukrainian central government bodies and select EU institutions.

The attack’s technical finesse is striking. When a victim opened the booby-trapped document, their system silently connected to attacker-controlled servers using the WebDAV protocol. This connection triggered the download of a disguised shortcut file, which in turn fetched a cascade of malicious payloads. Among them: a DLL camouflaged as a legitimate Windows library, and even an image file hiding executable shellcode.

Persistence was ensured by hijacking a Windows registry setting tied to a specific COM object, and by scheduling a task named “OneDriveHealth.” As a result, the malware would reload every time Windows Explorer restarted - keeping the attackers’ foothold intact. To further complicate detection, the hackers cleverly used FileCloud infrastructure, blending their traffic with legitimate cloud operations and evading many standard defenses.

The campaign’s speed was as alarming as its sophistication. Within 72 hours of Microsoft’s advisory, security teams at CERT-UA were already uncovering the first weaponized files, including “Consultation_Topics_Ukraine(Final).doc” and phishing emails masquerading as weather bulletins. Infrastructure analysis revealed that new domains were registered and operational on the very day they were needed for attacks.

With over 60 Ukrainian government email accounts targeted and additional attacks against EU entities, the operation highlights how quickly threat actors can pivot from vulnerability disclosure to active exploitation - often before patches can be widely deployed.

Response and Reflection

Authorities urge organizations to implement Microsoft’s registry-based mitigations, update Office installations, and monitor for suspicious network activity - especially connections to cloud storage services like FileCloud. The incident is a stark reminder: in today’s cyber landscape, the window between vulnerability disclosure and exploitation is shrinking to hours, not days. Vigilance, speed, and layered defenses are now non-negotiable for anyone in the crosshairs of advanced threat actors.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• DLL (Dynamic Link Library): A DLL is a Windows file containing shared code used by programs. Malicious DLLs can be exploited by hackers to gain control over a system.
• COM hijacking: COM hijacking is when attackers alter Windows settings to make the system load their malicious programs instead of legitimate software.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.