APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure

Updated February 9, 2026: This analysis has been updated to clarify malware naming conventions.

This blog is written in collaboration with Trellix See the Trellix blog: APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure

Introduction

Russian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage campaign targeting European military and government entities, specifically targeting maritime and transport organizations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The attackers weaponized a newly disclosed Microsoft Office 1-day (CVE-2026-21509) within 24 hours of its public revelation, using spear-phishing documents to compromise Ukrainian government agencies and EU institutions [1]. This campaign features a multi-stage infection chain and novel payloads, including a simple initial loader, an Outlook VBA backdoor (NotDoor), and a modified Covenant implant ("CovenantGrunt" [7]). The threat actors abuse legitimate cloud storage (filen.io) as command-and-control (C2) infrastructure, blending malicious traffic with normal user activity.

Infection chain overview

APT28's attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509, a Microsoft Office security feature bypass vulnerability. This vulnerability was addressed by an urgent, out-of-band security update. When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction. The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure.

The initial exploitation downloads a malicious LNK shortcut and first-stage loader DLL, which establishes the foundation for a sophisticated multi-stage infection chain. The loader either extracts an encrypted PNG image file containing shellcode, which it decrypts and executes CovenantGrunt in memory, or drops VbaProject.OTM for NotDoor payload. This shellcode loads a .NET-based payload that performs key exchange operations with cloud storage infrastructure.

The entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts. This multi-layered approach demonstrates APT28's evolved tradecraft in maintaining persistent access while evading detection across enterprise environments.

Figure 1: Multi-stage infection chain employed by APT28. The exploit in the document leads to a staged malware execution flow, culminating in an in-memory Covenant backdoor beaconing to cloud storage.

Phishing lures and social engineering

The adversary orchestrated a concentrated 72-hour spear-phishing campaign (January 28-30, 2026), delivering at least 29 distinct emails across nine Eastern European nations, primarily targeting defense ministries (40%), transportation/logistics operators (35%), and diplomatic entities (25%). These emails originated from compromised government accounts of multiple countries, including Romania, Bolivia, and Ukraine.

The lures exploited 4 geopolitically-charged narratives: transnational weapons smuggling alerts (45% of emails) impersonating a Central European border security agency warning of "200 RPG-7 rounds in transit from Syria via Ukraine" with fabricated courier identities; “military training program invitations”(25%) spoofing a regional defense university with professional signature blocks and time-sensitive enrollment deadlines; EU/NATO diplomatic consultations (20%) masquerading as high-level parliamentary requests for policy positions on the Ukraine conflict; and meteorological emergency bulletins abusing compromised national weather service infrastructure to disseminate fabricated flood warnings.

Figure 2: Phishing email and decoys

We identified an orthographic inconsistency - alternating usage of "Boarder Police" versus "Border Police" across temporally-clustered messages, consistent with distributed APT taskings where non-native English speakers independently crafted lure variants. All emails carried weaponized RTF/DOC attachments (e.g., BULLETEN_H.doc, Courses.doc, OperInformativ_163.doc) exploiting CVE-2026-21509, with decoy content meticulously replicating authentic government communication aesthetics, which could potentially be based on real, previously stolen documents, including official letterheads, bilingual formatting (Romanian/English, Ukrainian/English), color-coded hazard maps, and ministerial seals/-visual elements designed to exploit institutional trust mechanisms and circumvent user suspicion during the critical file-open decision point.

Exploitation and initial loader (“SimpleLoader”)

The spear-phishing document uses the CVE-2026-21509 exploit to achieve code execution as soon as it is opened. According to Microsoft, CVE-2026-21509 allows an attacker to bypass Office’s OLE security restrictions, exposing unsafe COM controls to execution [6]. In practical terms, APT28’s malicious documents embedded a specially crafted OLE object (for instance, a Shell.Explorer ActiveX control) that automatically retrieves the next-stage payload over HTTP/WebDAV.

Figure 3: RTF Object Linking and Embedding (OLE) Exploitation via Shell.Explorer.1 in the malicious attachment

The downloaded LNK’s execution results in a SimpleLoader DLL loaded.

The infection chain deploys SimpleLoader which utilizes three distinct XOR encryption schemes: simple single-byte XOR (0x43) for mutex generation, alternating-byte XOR with null padding for path strings, and a 76-character rotating XOR key for embedded payload decryption. Upon execution in the steganography loader, the loader establishes a single-instance mutex and initiates its dropper routine, which writes three files to disk: the primary payload (EhStoreShell.dll) to %PROGRAMDATA%\USOPublic\Data\User\, a scheduled task configuration XML to the user's temp directory, and an encrypted-payload PNG file mimicking legitimate OneDrive installation artifacts.

Persistence is achieved through COM object hijacking targeting CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}. The loader creates a scheduled task named "OneDriveHealth" that triggers 60 seconds post-registration, executing a command sequence that terminates explorer.exe, relaunches it (triggering the hijacked COM object load above), and self-deletes the scheduled task. Once loaded into the new explorer.exe process, EhStoreShell.dll establishes C2 communication with filen.io.

The steganography loader (EhStoreShell.dll) executes anti-analysis routines, including a three-second sleep with timing validation (≥2.9s threshold) to detect sandbox time acceleration and process name verification to ensure execution within explorer.exe. The loader decrypts embedded strings using single-byte XOR (key 0x43) and resolves ten Windows APIs through hash-based lookups. Following successful validation, the loader locates and processes `SplashScreen.png` dropped earlier. The malware implements a complete PNG decoder consisting of ten specialized functions handling IHDR header parsing, PLTE palette extraction, IDAT chunk decompression via zlib inflation, Huffman table construction, and Adam7 interlacing, ultimately extracting a.NET loader shellcode concealed within the image's data chunks.

Figure 4: EhStoreShell.dll’s anti-analysis routines

The extracted shellcode functions as a fileless .NET assembly bootstrap mechanism that directly invokes the Common Language Runtime without touching disk. Utilizing Process Environment Block (PEB) traversal to resolve APIs dynamically (bypassing the Import Address Table), the shellcode loads `MSCOREE.DLL` and `OLEAUT32.DLL`, then invokes `CLRCreateInstance` to initialize the .NET runtime within the compromised explorer.exe process.

Post-exploitation payloads: CovenantGrunt with cloud-based C2

Following successful shellcode execution, the infection chain progresses to a staged .NET loader ("Publish"- modified Covenant backdoor) that implements cryptographic handshake protocol with the adversary's command infrastructure: 2048-bit RSA key pair. The operator's C2-monitoring the base folder UUID on filen.io -detects the new victim registration, generates a cryptographically random 32-byte AES-256 session key, encrypts it with the victim's RSA public key, and uploads the encrypted session key back to the victim's dedicated subfolder. Upon receiving this response, the victim decrypts the session key using its private RSA key, then engages in a challenge-response exchange to prove the handshake. Once the handshake completes successfully, the loader downloads the encrypted Covenant Grunt assembly, decrypts it using the newly established session key, and executes it via Assembly.Load() with reflection-based method invocation targeting the [DisplayName("Invite")] attribute, achieving completely fileless execution.

The Covenant Grunt implant was reengineered to utilize filen.io cloud storage. The .NET assembly implements 4 core components: `FilenApi` (complete REST API client for filen.io's gateway, ingest, and egest endpoints across 24 subdomains), `FilenMessenger` (implements the IMessenger interface for polling and uploading encrypted task files), `FilenEncryptor` (provides AES-256-GCM encryption with per-file nonces and HMAC-SHA256 integrity verification), and `GruntExecutor` (task execution engine supporting .NET assembly loading, PowerShell execution, and output streaming through anonymous pipes). The implant encrypts results with AES-256-CBC plus HMAC-SHA256, and uploads them back to the folder where the threat actor retrieves and processes them.

Analysis of the compromised filen.io infrastructure revealed the operational scale of this campaign: confirmed victims distributed across at least two accounts (fiscalizacionycontrol@cordoba.gov.ar and jannet.stillman@outlook.com). Post-exploitation capabilities include system reconnaissance (arp.exe, systeminfo.exe, tracert.exe), process injection into svchost.exe for persistence, and preparation for lateral movement,-all executed through dynamically loaded .NET assemblies that leave no disk-based forensic artifacts beyond memory resident code injection.

“NotDoor” Outlook backdoor variant

Infrastructure: APT28’s campaign stands out for its heavy abuse of legitimate cloud services. In this 2026 wave, filen.io – a cloud storage provider – serves as the core C2 channel for the CovenantGrunt implants. All beaconing and tasking occurs via HTTPS requests to filen.io API endpoints, appearing as normal cloud storage traffic. Earlier related operations used Koofr and Icedrive for C2, indicating APT28’s flexibility in swapping out cloud platforms [2].

The VBA macro itself implements email surveillance through dual automatic triggers: `Application_MAPILogonComplete` executes upon Outlook login, while `Application_NewMailEx` activates instantly upon new message arrival for real-time forwarding. The exfiltration logic systematically enumerates 4 folder types (Inbox, Drafts, Junk Mail, RSS Feeds), processing up to 10 messages per folder per execution. For each unprocessed email, the macro invokes the native Outlook object model to save the complete message (headers, body, attachments, metadata) as a `.msg` file to `%TEMP%\temp_email.msg`, creates a new forwarding message with the original attached, and transmits it to two adversary-controlled addresses via standard SMTP. Furthermore, it marks processed emails with a custom "AlreadyForwarded" property to prevent duplicate transmissions, sets `DeleteAfterSubmit = True` to automatically purge forwarded messages from the Sent Items folder. This technique proves particularly effective against organizations with diplomatic or government email systems, where high-privilege accounts receive sensitive policy documents, classified cables, and strategic communications-precisely the intelligence targets consistent with APT28's collection priorities.

Infrastructure and TTPs

Infrastructure: APT28’s campaign stands out for its heavy abuse of legitimate cloud services. In this 2026 wave, filen.io – a cloud storage provider – serves as the core C2 channel for the Covenant/BeardShell implants. All beaconing and tasking occurs via HTTPS requests to filen.io API endpoints, appearing as normal cloud storage traffic. Earlier related operations used Koofr and Icedrive for C2, indicating APT28’s flexibility in swapping out cloud platforms [2].

In terms of delivery, the initial stage relied on compromised or attacker-registered web servers hosting the malicious documents and LNKs. For example, domains like wellnessmedcare[.]org, wellnesscaremed[.]com, freefoodaid[.]com, and longsauce[.]com were used to host and deliver the Office exploits (possibly as part of the WebDAV fetch and as decoy content) – see IoC table below. The threat actors moved quickly, even registering new domains the same day they were used in attacks, reflecting a highly agile operation.

Attribution to APT28

This campaign is attributed to APT28 with high confidence based on technical indicators and victimology. CERT-UA officially attributed the January 2026 attacks to threat actor UAC-0001 [1], which corresponds to APT28 (Fancy Bear), a unit of Russia’s GRU military intelligence. In the past, APT28 swiftly weaponized Office vulnerabilities and was among the first to use them in the wild, demonstrating a capability for 0-day or n-day exploitation that few groups possess at this level.

APT28 has a long history of cyber espionage and influence operations. The tradecraft in this campaign – multi-stage malware, extensive obfuscation, abuse of cloud services, and targeting of email systems for persistence – reflects a well-resourced, advanced adversary consistent with APT28’s profile. The toolset and techniques also align with APT28’s fingerprint. The use of COM hijacking for persistence and macro-enabled Outlook backdoors (NotDoor) are TTPs recently tied to APT28 operations targeting European organizations. The BeardShell malware has been explicitly attributed to APT28 by Ukrainian authorities and security researchers. These implants, along with the Covenant framework, were all found in incidents responded by CERT-UA and partners, linking them to the same adversary. Furthermore, the focus on Ukrainian government and military bodies, as well as NATO-aligned targets, strongly correlates with APT28’s strategic interests over the past decade (especially post-2022 invasion of Ukraine).

Code analysis indicates that this steganography loader exhibits 47 unknown, 10 malicious, and 542 benign components, according to analysis from Threatray. Furthermore, 10 malicious functions align with the reference Beadshell malware loader 88e28107fbf171fdbcf4abbc0c731295549923e82ce19d5b6f6fefa3c9f497c9 previously reported by Sekoia [3].

While attribution in cyberspace can be challenging, in this case the convergence of indicators (including code overlaps, infrastructure reuse, and timing) makes a compelling case that the Russian GRU-linked APT28 is behind the campaign.

Conclusion

APT28’s latest campaign underscores the group’s technical prowess and adaptability. By integrating a fresh Office exploit, multi-layered loaders, cloud-based C2 channels, and even an Outlook backdoor, APT28 continues to expand its arsenal for infiltrating high-value targets. The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems. The campaign’s modular infection chain – from initial phish to in-memory backdoor to secondary implants was carefully designed to leverage trusted channels (HTTPS to cloud services, legitimate email flows) and fileless techniques to hide in plain sight.

Attribution to APT28 is reinforced by the continuity in their tactics: early observations by CERT-UA and others tie these activities back to the same unit behind prior operations like the Signal Messenger lures (BeardShell/Covenant) and the NotDoor Outlook backdoor [4][5]. This consistency provides valuable intelligence on APT28’s evolving toolkit. Organizations are urged to apply the latest Office patches (including the emergency fix for CVE-2026-21509) and implement Microsoft’s recommended registry hardening that blocks this OLE exploit path [6].

Defending against such an advanced threat requires a defense-in-depth approach. User awareness is crucial, as highly convincing lures are in play. The MITRE ATT&CK mapping above can guide threat hunting for specific techniques like COM hijacks and macro abuse. Trellix Email Security and IVX sandbox proactively stopped this zero-day campaign by employing a generic signature that identified the malicious attachment's behavior.

Trellix detection

MITRE ATT&CK techniques mapped

The following table maps key techniques observed in this APT28 campaign to the corresponding MITRE ATT&CK tactics and technique IDs:

Indicators of Compromise (IoCs)

File Hashes – Malicious Documents & Malware

Network Indicators – Domains and IPs

Email-based C2 (NotDoor Exfiltration)

Filen[.]io Cloud Storage Accounts

Malicious URLs (Embedded in RTF Documents)

Host-based Indicators

File Paths (BEARDSHELL Chain)

C:\ProgramData\USOPublic\Data\User\EhStoreShell.dll C:\ProgramData\Microsoft OneDrive\setup\Cache\SplashScreen.png C:\Users\*\AppData\Local\Temp\Diagnostics\office.xml

File Paths (NotDoor Chain)

%APPDATA%\Microsoft\Outlook\VbaProject.OTM %TEMP%\temp_email.msg

Registry Keys (BEARDSHELL - COM Hijacking Persistence)

HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32

Registry Keys (NotDoor - Outlook Security Bypass)

HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level = 1 HKCU\Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot = 1

Mutex Names

adjgfenkbe (SimpleLoader) dvyubgbqfusdv32 (BEARDSHELL)

Scheduled Task

OneDriveHealth (temporary, deleted after COM persistence established)

Process Indicators

rundll32.exe tables(1).dll cmd.exe /c (taskkill /f /IM explorer.exe >nul 2>&1) & (start explorer >nul 2>&1) schtasks.exe /Create /tn "OneDriveHealth"

References:

[1] "Бюлетень небезпеки": UAC-0001 (APT28) здійснює кібератаки у відношенні України та країн ЄС з використанням експлойту CVE-2026-21509 (CERT-UA#19542). https://cert.gov.ua/article/6287250

[2] Кібератаки UAC-0001 (APT28) у відношенні державних органів із застосуванням BEARDSHELL та COVENANT. https://cert.gov.ua/article/6284080

[3] APT28 Operation Phantom Net Voxel - Sekoia.io Blog. https://blog.sekoia.io/apt28-operation-phantom-net-voxel/

[4] NotDoor Insights: A Closer Look at Outlook Macros and More - Splunk. https://www.splunk.com/en_us/blog/security/notdoor-insights-a-closer-look-at-outlook-macros-and-more.html

[5] Analyzing NotDoor: Inside APT28’s Expanding Arsenal. https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/

[6] Microsoft Office Security Feature Bypass Vulnerability CVE-2026-21509. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

[7] APT28 Leverages CVE-2026-21509 in Operation Neusploit https://www.zscaler.com/fr/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit