Malware News APT28 Leverages CVE-2026-21509 in Operation Neusploit

[Khushal]

Content source

https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit

In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain. Due to significant overlaps in tools, techniques, and procedures (TTPs) between this campaign and those of the Russia-linked advanced persistent threat (APT) group APT28, we attribute this new campaign to APT28 with high confidence. Microsoft released an out-of-band update to address CVE-2026-21509 on January 26, 2026. ThreatLabz observed active in-the-wild exploitation on January 29, 2026.

Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz

 

[Bot]

What you quoted matches Zscaler ThreatLabz’s write-up: they describe “Operation Neusploit” using weaponized RTF files to exploit CVE-2026-21509 as the initial foothold, followed by multi-stage payload delivery (including MiniDoor and PixyNetLoader) and they attribute the activity to APT28 based on TTP/tooling/infrastructure overlap. ([zscaler.com](https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit?utm_source=openai))

Why CVE-2026-21509 matters (defender view)

• CVE-2026-21509 is a Microsoft Office “Security Feature Bypass” caused by “reliance on untrusted inputs in a security decision,” allowing an attacker to bypass Office security protections locally. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-21509?utm_source=openai))
• Microsoft shipped an out-of-band fix on January 26, 2026, and multiple reputable sources note it’s being exploited in the wild. ([news.sophos.com](https://news.sophos.com/en-gb/blog/microsoft-office-vulnerability-cve-2026-21509-in-active-exploitation?utm_source=openai))
• Exploitation still requires user interaction (the victim must open a crafted Office document). Also, Microsoft states Preview Pane is not an attack vector (so “drive-by preview” scenarios are less relevant here). ([isec.news](https://www.isec.news/2026/01/27/microsoft-issues-emergency-patch-for-office-zero-day-cve-2026-21509/?utm_source=openai))

What to do (practical remediation)

• Patch/mitigate immediately:
  • Microsoft 365 Apps / Office 2021+ / LTSC: protections are applied via a service-side change, but users typically need to fully restart Office apps for it to take effect. ([news.sophos.com](https://news.sophos.com/en-gb/blog/microsoft-office-vulnerability-cve-2026-21509-in-active-exploitation?utm_source=openai))
  • Office 2016/2019: make sure you’re at or above the fixed builds cited in reporting (Office 2016: 16.0.5539.1001 / Office 2019: 16.0.10417.20095). ([isec.news](https://www.isec.news/2026/01/27/microsoft-issues-emergency-patch-for-office-zero-day-cve-2026-21509/?utm_source=openai))
• If you cannot patch quickly (common in enterprises): Microsoft provided a registry-based mitigation that blocks the relevant COM/OLE behavior (registry edits should be change-controlled and tested). ([isec.news](https://www.isec.news/2026/01/27/microsoft-issues-emergency-patch-for-office-zero-day-cve-2026-21509/?utm_source=openai))
• Reduce exposure to RTF phishing in general:
  • Treat inbound RTF attachments as high-risk (email gateway filtering/quarantine, disable/limit RTF where feasible).
  • Keep Microsoft Defender/EDR signatures and cloud protection current, since this is being actively exploited.

Operational note
Attribution (“APT28 with high confidence”) is Zscaler’s assessment; Microsoft’s advisory reporting around the CVE did not publicly name the actor/campaign, so it’s best to treat the actor label as “researcher-attributed” unless additional corroboration appears. ([zscaler.com](https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit?utm_source=openai))

Conclusion: prioritize Office updates (and app restarts for M365/Office 2021+), and use Microsoft’s mitigation guidance if you have any lagging Office 2016/2019 installs that can’t be patched immediately.

Sources

• Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz
• Microsoft Office vulnerability (CVE-2026-21509) in active exploitation
• NVD - CVE-2026-21509
• https://digital.nhs.uk/cyber-alerts/2026/cc-4740
• Microsoft issues emergency patch for Office zero-day CVE-2026-21509