Russia-linked attackers are reportedly using a new Microsoft vulnerability as part of a coordinated espionage and malware campaign, Operation Neusploit.
The campaign was spotted in January 2026 by Security researchers at ZScaler ThreatLabz, three days after Microsoft issued an urgent patch for the flaw.
“In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain,” the researchers said in a blog post. “ThreatLabz observed active in-the-wild exploitation on January 29, 2026.”
The campaign targeted users in parts of Central and Eastern Europe, including Ukraine, Slovakia, and Romania, with custom social engineering lures. The crafted rich text format (RTF) files triggered the Office vulnerability the moment they were opened, initiating a multi-stage infection chain leading to backdoors and malware implants.
Owing to the significant overlap between the tools, techniques, and procedures (TTPs) between the campaign and those of Russia’s General Staff Main Intelligence Directorate (GRU)-affiliated threat group APT28 (aka Fancy Bear), ZScaler attributed the campaign to the advanced persistent threat (APT) group.
Neusploit hooked users through Office
Operation Neusploit relies heavily on CVE-2026-21509, a high-severity bug in Microsoft Office that Microsoft patched on January 26 after reports of active exploitation.
The infection begins with victims receiving an email with an RTF attachment that contains a weaponized exploit. When opened, the RTF file causes Microsoft Office to execute code that reaches out to threat actor infrastructure and downloads a dropper DLL. The DLL then executes the rest of the malicious chain.
“The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header,” the researchers said.
The campaign used two different variants of the dropper DLL, deploying different components for different purposes.
One campaign, two infection paths
ZScaler found that exploitation of CVE-2026-21509 did not lead to a single uniform payload. Instead, the initial RTF-based exploit branched into two distinct infection paths, each serving a different operational purpose. The choice of dropper reportedly determined whether the attackers prioritized near-term intelligence collection or longer-term access to compromised systems.
In one path, the exploit delivered MiniDoor, a lightweight DLL that focused on email theft. The malware modified Windows registry settings to weaken Microsoft Outlook security controls, allowing it to quietly collect and exfiltrate email data to an attacker-controlled infrastructure. The design and functionality of MiniDoor closely resemble earlier APT28 tooling, aligning with the group’s established espionage-focused attacks.
The second path involved a more elaborate chain that began with PixyNetLoader, which deployed additional payloads and established persistence using techniques such as DLL proxying and COM object hijacking. This loader ultimately installed a Covenant Grunt implant, used specifically in .NET command and control (c2) framework, giving the attackers sustained remote access through cloud-hosted C2 infrastructure.
Mitigation efforts
ZScaler recommended that organizations prioritize patching for CVE-2026-21509, noting that APT28 exploited the flaw within days of Microsoft releasing fixes. Systems running unpatched versions of Microsoft Office remain exposed to weaponized RTF documents that require little user interaction beyond opening the file, significantly raising the risk of compromise in email-driven attack scenarios.
For defensive analysis, ZScaler shared GitHub repositories, including the Windows scheduled task configuration file and the MiniDoor macro code, illustrating the attack paths used in Operation Neusploit. Additionally, the disclosure shared a list of indicators of compromise (IOCs) to support detection efforts, which included file hashes, malicious domains, and URLs. CISA had added the flaw to its known exploited vulnerabilities (KEV) database, giving Federal Civilian Executive Branch (FCEB) agencies until February 16 to patch their systems.
