Zscaler ThreatLabz researchers spotted this campaign and linked it with high confidence to the notorious APT28 group. The attacks hit users in Ukraine, Slovakia, and Romania using tricked-out documents in English, Romanian, Slovak, and Ukrainian.
Microsoft rushed out an emergency patch on January 26, 2026. But hackers started using the flaw in real attacks just days later, on January 29. The goal? Sneak in backdoors and grab sensitive Outlook emails without leaving obvious tracks.
Victims get phishing emails with booby-trapped RTF files. When opened, these files trigger CVE-2026-21509 a bug in how Microsoft handles RTF parsing. This lets attackers run code on the victim’s Windows machine.
Next, the exploit pulls a malicious DLL dropper from a hacker’s server. Smart evasion kicks in: the server sends the bad file only if the request comes from target countries and includes specific browser headers no luck for outsiders.
Two dropper flavors exist. The first plant is MiniDoor, a slim C++ tool. It cracks open Outlook’s VBA project using XOR decryption and tweaks registry settings to lower macro guards. It hides in the app’s startup folder.
Once Outlook launches, MiniDoor watches for logins and new mail. It scans folders like Inbox and Drafts, bundles emails, and silently forwards them to hacker addresses without creating copies in the Sent folder it even tracks and skips duplicates.
The second variant drops PixyNetLoader. This unloader decrypts payloads like a stego-hidden shellcode in a PNG image, a fake EhStoreShell.dll, and a task scheduler file.
It hijacks a legit Windows COM object, proxying calls to the real DLL while loading evil code into explorer.exe. A quick task restart forces the load.
EhStoreShell.dll checks for sandboxes with sleep timings, then pulls shellcode from the PNG using LSB steganography.
The shellcode fires up a Covenant Grunt implant a .NET tool from the open-source Covenant C2 framework. Grunt phones home via the Filen API, hiding commands in XOR’d Base64 strings.
Fancy Bear, or APT28, ties to Russia’s GRU Unit 26165. Active since 2007, they spy on governments, militaries, NATO allies, and critics worldwide.
Past hits used X-Agent, Zebrocy, and zero-days in Office and Flash. Links here include matching targets, NotDoor echoes in MiniDoor, COM tricks, and PNG stego from prior ops.
Patch now: Grab Microsoft’s update for CVE-2026-21509. Watch for RTF lures from sketchy sources. Tools like PolySwarm list IOC samples block Filen API abuse and scan for rogue registry tweaks in Outlook.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Fancy Bear Hackers Abuse Microsoft Zero-Day in Email Theft Campaign appeared first on Cyber Security News.
Artemis II astronaut Jeremy Hansen has given Ryan Gosling’s Project Hail Mary his seal of…
Artificial Intelligence How AI Helped One Man (and His Brother) Build a $1.8 Billion CompanyErin…
Staff report BLOOMINGTON, Ind.— April 5, 2026 Police pursued a Jeep late Saturday night after…
Staff report BLOOMINGTON, Ind.— April 5, 2026 Police pursued a Jeep late Saturday night after…
Staff report BLOOMINGTON, Ind.— April 5, 2026 Police pursued a Jeep late Saturday night after…
Staff report BLOOMINGTON, Ind. — April 4, 2026 A Monroe County resident living near the…
This website uses cookies.