By rssfeeds-admin .webp?ssl=1 "MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday Update")
Security researchers at Akamai discovered that the Russian state-sponsored threat group APT28 was targeting Microsoft before Microsoft released a patch in February 2026.
Akamai researchers used PatchDiff-AI, a multi-agent AI system, to perform automated root-cause analysis.
They discovered the flaw resides in ieframe.dll, specifically within the _AttemptShellExecuteForHlinkNavigate function, which handles hyperlink navigation.
| Feature | Details |
|---|---|
| CVE ID | CVE-2026-21513 |
| CVSS Score | 8.8 (High) |
| Affected Component | MSHTML Framework (ieframe.dll) |
| Impact | Security Feature Bypass, Arbitrary Code Execution |
| Patch Date | February 2026 Patch Tuesday |
The vulnerability stems from insufficient validation of target URLs. This oversight enables attacker-controlled input to reach code paths that invoke ShellExecuteExW.
Consequently, local or remote resources can be executed outside the intended browser security context.
Researchers correlated the vulnerable code path with public threat intelligence and identified a malicious sample on VirusTotal submitted on January 30, 2026.
The sample, named document.doc.LnK.download, is linked to infrastructure associated with APT28. The payload uses a specially crafted Windows Shortcut (.lnk) file that embeds an HTML file immediately after the standard LNK structure.
Upon execution, the LNK file connects to wellnesscaremed[.]com, a domain attributed to APT28’s multi-stage campaigns.
According to Akamai’s analysis, the exploit uses nested iframes and multiple Document Object Model (DOM) contexts to manipulate trust boundaries.
This technique bypasses the Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC).
By downgrading the security context, the attacker can trigger the vulnerable navigation flow and execute arbitrary code.
Microsoft addressed the vulnerability in the February 2026 Patch Tuesday update. The fix introduces stricter validation for hyperlink protocols.
It ensures that supported protocols, such as file://, http://, and https://, execute within the browser context rather than being passed directly to ShellExecuteExW.
Indicators of Compromise (IOCs)
Akamai researchers have provided the following IOCs to assist network defenders:
| Name | Indicator |
|---|---|
| document.doc.LnK | aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa |
| Domain | wellnesscaremed.com |
| MITRE Techniques | T1204.001, T1566.001 |
Akamai warns that, while the observed attacks use a specific campaign that employs malicious .LNK files, the vulnerability can be triggered by any component that embeds MSHTML.
Organizations are advised to apply the February 2026 security updates to mitigate the risk and remain vigilant against alternative delivery mechanisms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday Update appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.