- Russian APT28 (Fancy Bear) exploited CVE-2026-21509 in Microsoft Office days after patch release
- Malicious DOC files sent to Ukrainian government agencies via themed phishing lures
- CISA added the bug to its KEV catalog and called for immediate patching
Russian hackers have attacked Ukrainian government agencies using a serious Microsoft Office vulnerability just days after a patch was released.
On January 26, 2026, Microsoft pushed an emergency fix to address CVE-2026-21509, a reliance on untrusted input in a security decision vulnerability that allows unauthorized attackers to bypass Microsoft Office security features locally. The bug was given a severity score of 7.6/10 (high), and is said to have already been abused in the wild as a zero-day.
Just three days later, Ukraine’s Computer Emergency Response Team (CERT-UA) said it saw cybercriminals sending dozens of government-related addresses malicious DOC files that exploited the flaw. Some were themed around the EU’s COREPER consultations, while others spoofed the country’s hydrometeorological centre.
How to defend against APT28
CERT says the attack is the work of APT28, a Russian state-sponsored threat actor also known as Fancy Bear or Sofacy. The group is linked to the country’s General Staff Main Intelligence Directorate (GRU).
The researchers based their findings on the analysis of the malware loader used in these attacks. Apparently, it’s the same one used in a June 2025 attack where Signal chat was used to deliver BeardShell and SlimAgent malware to Ukrainian government employees. This attack was confirmed to be carried out by APT28.
To defend against the attacks, CERT-UA advised government entities (and basically everyone else) to apply the latest patches and update their Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024 and Microsoft 365 Apps. Office 2021 users were also reminded to restart their applications after updating to ensure the patches were applied.
The US Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2026-21509 to its catalog of known exploited vulnerabilities (KEV).
Those who cannot install the patches should make changes to the Windows registry as a workaround. Microsoft has provided a step-by-step guide which can be found at this link.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
