A targeted cyberattack campaign has been uncovered by researchers at Zscaler ThreatLabz. The operation, which the firm has named Operation Neusploit, was identified in January 2026 and is being linked with high confidence to APT28, a state-sponsored hacker group likely connected to Russia. The campaign targets users in Ukraine, Slovakia, and Romania using deceptive documents written in their native languages.
As it has been repeatedly observed, hackers look for weak spots in popular software. In this case, they are exploiting a critical security flaw tracked as CVE-2026-21509. Found in modern versions of Microsoft Office and 365, this flaw exists in the Object Linking and Embedding (OLE) feature and allows attackers to bypass security checks to gain control of a computer if a user simply opens a specially crafted file.
While Microsoft released an emergency patch on 26 January 2026, Zscaler found that the hackers were exploiting it as late as 29 January.
The attack starts with a specially designed RTF document. Once a victim opens it, the file triggers the vulnerability and silently downloads a dropper (software used to install more dangerous viruses). One version of the dropper installs MiniDoor, a program designed to target Microsoft Outlook. This program performs several actions, including:
- Modifying the Windows Registry to turn off security warnings and allow macros (mini-programs) to run automatically.
- Scanning the Inbox, Drafts, and Junk folders, then copying and sending emails to two hacker-controlled addresses:
[email protected]and[email protected]. - Deleting these messages from the ‘Sent’ folder so the victim never knows they were targeted.
The second version, named PixyNetLoader, is even more complex. Research reveals that it uses steganography, a technique where malicious code is hidden inside a normal-looking picture file, which in this instance is titled SplashScreen.png.
To stay hidden from security experts, the malware also uses anti-analysis tricks. For example, it checks if its internal ‘sleep’ timer is being unnaturally sped up by research tools. If it senses it is being monitored, it simply stops working.
The ultimate goal of this second version is to deploy the Covenant Grunt implant. This tool gives the hackers full remote control over the victim’s computer. It uses a legitimate cloud service called Filen to communicate with the hackers, making the stolen data look like regular, harmless internet traffic.
Researchers are confident this is the work of APT28 because the attack patterns and targets match the group’s history perfectly. The tools used are similar to versions they have used before, and hiding code in images and using the FileCloud service to move stolen data is reminiscent of their past operations.
To stay safe, you should immediately install the latest Microsoft security updates and be cautious with any unexpected email attachments, even if they appear to be in your native language.
