67/69 Wednesday, February 4, 2026
Ukraine’s CERT-UA has identified a new cyberattack campaign carried out by the APT28 hacking group, also known as Fancy Bear, which is linked to Russia. The attackers targeted government agencies and organizations across Europe by distributing phishing emails containing malicious Microsoft Word attachments. These documents referenced “EU COREPER consultations in Ukraine” and impersonated the Ukrainian Meteorological Center to trick recipients into opening the file.
What makes this campaign particularly concerning is its exploitation of CVE-2026-21509, a zero-day vulnerability in Microsoft Office that Microsoft had only recently patched with an emergency update in late January 2026. Metadata analysis revealed that the malicious document was created just one day after the vulnerability was publicly disclosed, highlighting the group’s rapid ability to weaponize newly discovered flaws against systems that have not yet been updated.
The malware delivery process is highly sophisticated. When the victim opens the document, attackers leverage COM hijacking to execute a malicious DLL and retrieve shellcode hidden inside an image file, ultimately installing a malware framework known as COVENANT. The framework then connects to the cloud service Filen (filen.io), enabling remote control of the compromised device. Security experts strongly advise organizations to immediately update Microsoft Office (versions 2016 through Microsoft 365) to the latest release. If patching is not yet possible, enabling Protected View is recommended as an initial defensive measure.
