CVE-2026-21509: APT28 takes advantage of Office with misleading documents for persistent intrusion and use of COVENANT

Just a few days after Microsoft published an emergency update, Ukrainian researchers have detected a campaign operated by hackers linked to the Russian state that takes advantage of the vulnerability known as CVE-2026-21509 in several versions of Microsoft Office. The Ukrainian computer response team (CERT-UA) documented the distribution of malicious documents that exploited this failure and which, according to its analysis, belong to the threat family associated with APT28 (also known as Fancy Bear or Sofacy).

The intrusion sequence is not simple classic phishing: when opening DOC files a WebDAV-based download chain is triggered that culminates in the installation of a malicious load by means of COM component supplanting techniques. Amongst the artifacts identified by DOS-DOS are a malicious DLL called EhStoreShell.dll, an image file (SplashScreen.png) that actually contains hidden executable code and a scheduled task that appears under the name OneDriveHealth. The forced restart of the explorer.exe process, orchestrated by programmed task, allows the malicious DLL to load and run the hidden shellcode in the image, which in turn starts a command and control framework known as COVENANT.

This same charger had already appeared in previous incidents linked to APT28 in June 2025, when attackers took advantage of conversations in Signal to distribute downloads that led to the execution of baptized malware like BeardShell and SlimAgent. CERT-UA further notes that COVENANT has been using the cloud storage service Filen as a command and control channel, so monitoring or blocking connections to that platform can help mitigate malicious activity.

There are details that draw attention to the research: some of the documents distributed had issues related to EU COREPER consultations in Ukraine, while others went through communications from the Ukrainian Hydrometeorological Centre, sending themselves to dozens of addresses linked to government bodies. Our forensic knowledge also reveals an interesting paradox: the metadata of the files indicates that they were created after Microsoft launched the emergency update, suggesting that the attackers could have used already available versions of the explosion or generated documents specially designed to evade controls.

The allocation to APT28 is supported not only by the technique used, but also by the reuse of infrastructure and tools already observed in previous campaigns. For the context of this actor, it is appropriate to review public reports and compilations describing its persistence and modus operandi over the years, such as the analysis documents and technical fact sheets available in open sources and specialized repositories, for example the reference page on APT28 in Wikipedia or national response team investigations and reports.

From the defense side, the clear recommendation of CERT-UA and suppliers is to apply as soon as possible the update that Microsoft posted off-schedule to correct CVE-2026-21509. They affect versions such as Office 2016, 2019, Microsoft 365 Apps and LTSC editions; in addition, for Office 2021 and later, it is important for users to restart applications to make the patch really active. Microsoft also recalls that the Defender Protected View function adds an additional barrier by blocking Office files from the Internet until they are marked as reliable; official documentation on that functionality can be found on the Microsoft site: Office Protected View.

When the patch cannot be deployed immediately, there are temporary mitigation based on the Windows registry and group policies that limit the operation; the specific instructions for such measures are usually published by both Microsoft and local CERT teams, so it is appropriate to follow the official guides and adjust them to the infrastructure of each organization. It is also advisable to audit recent programmed tasks, DLL modules that load unusual locations and outgoing connections to unusual cloud storage services, as part of the search for commitment indicators related to this campaign.

The use of techniques such as shellcode inlay in PNG files and COM component hijacking shows an observable trend in sophisticated intrusions: attackers combine ofuscation and persistence vectors to circumvent automatic controls and obtain persistent execution in systems of interest. For this reason, the response cannot be limited to a single patch; it should include continuous monitoring, network segmentation, enhanced access controls and specific training for teams that manage privileged accounts.

In addition to the technical report of CERT-UA which contains the initial investigation, it is recommended that security officials consult the notices and good practice guides of international bodies and suppliers to keep the defences up to date and coordinate responses. The CERT-UA report on this case is publicly available and contains useful details for SOC teams: CERT-AU report. For a broader view on the prioritization of actively exploited vulnerabilities, the catalogue of exploited vulnerabilities by known actors in the CISA It's a useful source.

In short, the combination of a zero-day vulnerability, misleading documents with plausible themes and a well-tuned technical execution chain shows why off-cycle updates should be taken seriously. If the organization has not yet applied the patch for CVE-2026-21509, making that the first security priority can make the difference between a failed intrusion attempt and a deep-persistent network gap. At the same time, monitoring connections to unauthorized cloud storage services and reviewing artifacts such as OneDriveHealth, EhStoreShell.dll or images with suspicious behavior will help to detect commitments that have ignored the initial defenses.

For those who want to investigate the tools involved, the COVENANT framework, often cited in post-exploitation analysis, has its public repository with technical information in GitHub: Covenant in GitHub. This technical information, combined with the indicators published by teams such as CERT-UA, makes it easier for defenders to develop more effective detection rules and blockages against similar campaigns.

The story remains open: CERT-UA and other laboratories will continue to publish updates if new variants or infrastructure linked to this campaign are identified. Maintaining open channels of communication with the community and implementing preventive and detective measures is now the best way to reduce the risk posed by actors with State resources. Meanwhile, apply the patch, restart the affected applications and strengthen the observability of the network and endpoints are concrete steps that may contain the threat.