- Russian APT28 (Fancy Bear) exploited CVE-2026-21509 in Microsoft Office days after patch release
- Malicious DOC files sent to Ukrainian government agencies via themed phishing lures
- CISA added the flaw to its KEV catalog, urging an immediate patch
Russian hackers attacked Ukrainian government agencies using a high-severity Microsoft Office vulnerability just days after a patch was released.
On January 26, 2026, Microsoft pushed an emergency fix to address CVE-2026-21509, an untrusted input dependency in a security decision vulnerability, which allows unauthorized attackers to bypass Microsoft Office security features locally. The bug was given a severity score of 7.6/10 (high) and was said to have already been abused in the wild as a day zero.
Just three days later, the Ukrainian Computer Emergency Response Team (CERT-UA) said it saw cybercriminals sending malicious DOC files to dozens of government-related addresses that exploited the flaw. Some were themed around EU COREPER consultations, while others simulated the country’s Hydrometeorological Centre.
How to defend against APT28
CERT says the attack is the work of APT28, a Russian state-sponsored threat actor also known as Fancy Bear or Sofacy. The group is linked to the country’s General Intelligence Directorate of the General Staff (GRU).
The researchers based their findings on analysis of the malware loader used in these attacks. It is apparently the same one used in a June 2025 attack, in which Signal chats were used to deliver BeardShell and SlimAgent malware to Ukrainian government employees. This attack was confirmed to be carried out by APT28.
To defend against attacks, CERT-UA recommended government entities (and everyone else, basically) to apply the latest patches and update their Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 applications. Office 2021 users were also reminded to restart their applications after the update, to ensure that the patches are applied.
The US Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2026-21509 to its catalog of known exploited vulnerabilities (KEV).
Those who cannot install the patches will need to make changes to the Windows Registry, as mitigation. Microsoft has provided a step-by-step guide which can be found at this link.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
