Security News APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday

[Parkinsond]

Content source

https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html

The vulnerability in question is CVE-2026-21513 (CVSS score: 8.8), a high-severity security feature bypass affecting the MSHTML Framework.

"Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network," Microsoft noted in its advisory for the flaw. It was fixed by the Windows maker as part of its February 2026 Patch Tuesday update.

In a hypothetical attack scenario, a threat actor could weaponize the vulnerability by persuading a victim to open a malicious HTML file or shortcut (LNK) file delivered through a link or as an email attachment.

Once the crafted file is opened, it manipulates browser and Windows Shell handling, causing the content to be executed by the operating system, Microsoft noted. This, in turn, allows the attacker to bypass security features and potentially achieve code execution.

While the company has not officially shared any details about the zero-day exploitation effort, Akamai said it identified a malicious artifact that was uploaded to VirusTotal on January 30, 2026, and is associated with infrastructure linked to APT28.

APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday

APT28 exploited CVE-2026-21513, an MSHTML zero-day (CVSS 8.8), using malicious LNK files to bypass security controls and execute code.

thehackernews.com

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
Microsoft and Akamai telemetry confirm active, in-the-wild exploitation of CVE-2026-21513, an MSHTML zero-day (CVSS 8.8) utilized by the APT28 threat group to bypass Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC) controls.

Assessment
Because the exploit targets default Windows components (ieframe.dll and Windows Shell), the vulnerability surface applies universally to unpatched Windows endpoints, though the specific initial delivery vector remains unverified in the provided telemetry and is classified as theoretical.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

Execution: T1059
(Command and Scripting Interpreter).

Defense Evasion: T1553.005
(Subvert Trust Controls: Mark-of-the-Web Bypass).

CVE Profile
CVSS Score: 8.8 | CISA KEV Status: Active (Added February 10, 2026).

Telemetry

Hashes
aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa
(SHA-256).

Network Indicators
wellnesscaremed[.]com
(Command and Control / Payload Delivery).

Host Artifacts
The structure resembles a weaponized Windows Shortcut (LNK) file that embeds an HTML payload immediately after the standard LNK header. The exploit leverages nested iframes and multiple DOM contexts; execution is routed through ieframe.dll due to insufficient validation, subsequently invoking ShellExecuteExW to break the browser sandbox.

Origin
Insufficient Evidence.
(Telemetry states LNK-based phishing is expected, but explicitly designates email/link delivery as a "hypothetical attack scenario") .

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate emergency out-of-band patch management protocols to deploy the February 2026 Patch Tuesday cumulative updates across all Windows assets.

DETECT (DE) – Monitoring & Analysis

Command
Implement network blocks and SIEM alerts for DNS/HTTP requests to wellnesscaremed[.]com.

Command
Query EDR for LNK files exhibiting anomalous structural sizes (due to appended HTML payloads) or MSHTML processes invoking ShellExecuteExW with suspicious command-line arguments.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints exhibiting the hash aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa immediately.

Command
Preserve memory state and capture malicious LNK artifacts for forensic analysis.

RECOVER (RC) – Restoration & Trust

Command
Validate that the February 2026 updates are fully applied and reboot cycles are complete before returning isolated assets to the production VLAN.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict execution of LNK files originating from external or low-trust zones via Group Policy or Attack Surface Reduction (ASR) rules.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately. (The Environmental Reality Check confirms MSHTML and Windows Shell are default components on consumer Windows editions, making this a critical local vulnerability.)

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and MFA tokens using a known clean device (e.g., a mobile phone operating on 5G cellular data).

Priority 3: Persistence

Command
Reconnect only to install the February 2026 Windows Updates immediately.

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for unknown entries that may have bypassed MotW protections.

Hardening & References

Baseline
CIS Microsoft Windows Desktop Benchmarks (Restrict execution of arbitrary LNK payloads).

Framework
NIST CSF 2.0 / SP 800-61r3.

Note on Remediation Timeline
Because CVE-2026-21513 is listed on the CISA KEV catalog, FCEB agencies must prioritize remediation by the designated March 2026 deadline, a mandate heavily recommended for private sector adoption.

Source

The Hacker News

Akamai Security Research