Researchers reported that a sophisticated hacking campaign linked to Russian-state actors has exploited a critical vulnerability in Microsoft Office, compromising devices within various organizations across multiple countries. This operation, attributed to a threat group known as APT28 or Fancy Bear, began shortly after Microsoft released a security update for vulnerability CVE-2026-21509 last month.
The hackers reverse-engineered the patch within 48 hours, creating an advanced exploit that deployed two previously unseen backdoor implants. The campaign, which started on January 28, involved a 72-hour spear phishing effort that targeted at least 29 different email lures sent to entities in nine nations, including Poland, Turkey, and Greece. Defense ministries, transport operators, and diplomatic organizations were among the primary targets.
Notably, the attackers utilized compromised government accounts to initiate the infection, ensuring that their methods remained undetected by endpoint protection systems. Command and control infrastructure was hosted on legitimate cloud platforms, allowing the hacks to blend into trusted network traffic.
According to Trellix, the operation illustrates the rapid pace at which state-aligned groups can exploit new vulnerabilities, highlighting the urgent need for defenders to respond swiftly to protect critical systems.