- Russian APT28 (Fancy Bear) exploited CVE-2026-21509 in Microsoft Office days after patch release
- Malicious DOC files sent to Ukrainian government agencies via thematic phishing lures
- CISA added the flaw to its KEV catalog, calling for an immediate fix
Russian hackers attacked Ukrainian government agencies using a high-severity vulnerability in Microsoft Office just days after releasing a patch.
On January 26, 2026, Microsoft released an emergency patch to address CVE-2026-21509, a dependency on untrusted input in a security decision vulnerability, which allows unauthorized attackers to bypass Microsoft Office security features locally. The bug received a severity score of 7.6/10 (high) and is believed to have already been abused in the wild as a zero-day.
Just three days later, Ukraine’s Computer Emergency Response Team (CERT-UA) said it saw cybercriminals sending dozens of malicious DOC files to government-linked addresses that exploited the flaw. Some were themed around EU COREPER consultations, while others spoofed the country’s Hydrometeorological Center.
How to defend against APT28
CERT claims the attack was the work of APT28, a Russian state-sponsored threat actor also known as Fancy Bear or Sofacy. The group is linked to the General Directorate of Intelligence (GRU) of the country’s General Staff.
The researchers based their findings on analysis of the malware loader used in these attacks. Apparently, this is the same one that was used in a June 2025 attack, in which Signal chats were used to deliver BeardShell and SlimAgent malware to Ukrainian government employees. This attack was confirmed to have been carried out by APT28.
To defend against attacks, CERT-UA advised government entities (and everyone, basically) to apply the latest patches and update their Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 applications. Office 2021 users were also reminded to restart their applications after updating, to ensure the patches are applied.
The US Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2026-21509 to its catalog of known exploited vulnerabilities (KEV).
Those who cannot install the patches should make changes to the Windows registry, as mitigation. Microsoft has provided a step-by-step guide which can be viewed at this link.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
