Russian state-sponsored actors known as APT28 have initiated a sophisticated cyber espionage campaign targeting high-value government and military entities across Europe. <\/p>\n
The primary targets include maritime and transport organizations in nations such as Poland, Ukraine, and Turkey. The attackers are actively exploiting a critical vulnerability in Microsoft Office, tracked as CVE-2026-21509. <\/p>\n
This security flaw allows threat actors to bypass established protections and execute malicious code on compromised systems with alarming ease.<\/p>\n
The assault commences with highly targeted spear-phishing emails<\/a> crafted to mimic urgent official correspondence. <\/p>\n These deceptive messages employ geopolitical lures, such as alerts regarding weapons smuggling or invitations to military training programs, to trick recipients. <\/p>\n When a victim opens the weaponized document, the exploit triggers automatically without requiring any interaction, such as enabling macros. <\/p>\n This \u201czero-click\u201d capability renders the attack particularly potent against defense ministries and diplomatic institutions.<\/p>\n Trellix analysts identified<\/a> this malicious activity and highlighted the adversary\u2019s speed, noting they weaponized the flaw within twenty-four hours of its public disclosure. <\/p>\n The attack documents utilize specially crafted embedded objects that leverage the WebDAV protocol to retrieve external payloads from attacker-controlled infrastructure. <\/p>\n This method effectively circumvents standard network defenses by disguising malicious traffic as legitimate web requests, allowing the intruders to establish a foothold undetected.<\/p>\n Upon successful exploitation, the hackers deploy a diverse arsenal of custom malware<\/a> to secure their position. <\/p>\n The primary payloads include a C++ implant dubbed \u201cBeardShell\u201d and a specialized Outlook backdoor named \u201cNotDoor.\u201d <\/p>\n These sophisticated tools enable the attackers to maintain persistent access, steal sensitive intelligence, and move laterally across the victim\u2019s network. <\/p>\n The campaign\u2019s reliance on legitimate cloud services for command and control further complicates detection efforts.<\/p>\n The infection chain is meticulously engineered for resilience and stealth, employing multiple layers of obfuscation to bypass security controls. <\/p>\n Following the initial breach, a loader retrieves an encrypted image file containing hidden shellcode. This payload executes the BeardShell backdoor directly in the system\u2019s memory, avoiding disk-based artifacts that traditional antivirus solutions might flag. <\/p>\n The malware also includes anti-analysis routines, such as timing checks, to determine if it is running in a security sandbox<\/a>.<\/p>\n Furthermore, the attackers abuse the legitimate cloud storage service filen.io to manage their command and control communications. <\/p>\n By encrypting traffic and routing it through this trusted platform, they effectively blend malicious directives with normal user data. <\/p>\n To mitigate these threats, organizations are strongly advised to apply emergency Office patches immediately and restrict the WebDAV protocol. Implementing strict email filtering<\/a> rules can also help block the initial delivery vectors.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post APT28 Hackers Exploiting Microsoft Office Vulnerability to Compromise Government Agencies<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Multi-stage](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhaGy2xlBzRwysI_5fWZ6JRtywZZWAfNTNShzvV8F2iVdJrPU8ISQLWmbBYyH1mB2-xa0Jh4ByvyJAEkTSJSIy3kjWg_iDnCmcOi9DPUaopXc0osF4iSoihsEW_Qq11vLUI2C3yhqlA7MuO8OqI3Mn-JSnNEkyMpdAVzGHko2bpboHRcwuxV03qleb37Jc\/s16000\/Multi-stage%2520infection%2520chain%2520employed%2520by%2520APT28%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
![\"Phishing](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjUvqbbwPpKPkjKaTq_M58GLbgu8AaVtXcsiE5Nn7Qa2ioZYyHVkpbO1nRUCVTUQZn_l6BgaNq8VlWTQaP-WsKzH1nOVXB83zmmNKsGIHuoMlzPuzVsH7EQDdIvDBa5JPZuvVw4yBhy1Y7bIAndq-lQG9f8qVNGhp3Ca3xgWg5Xi5FmL1xqdrPMmaHnqFU\/s16000\/Phishing%2520email%2520and%2520decoys%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
Deep Dive: Evasion and Persistence Mechanisms<\/strong><\/h2>\n