Researchers announced on Wednesday that Russian-state hackers swiftly took advantage of a critical Microsoft Office vulnerability to infiltrate devices within diplomatic, maritime, and transport organizations across more than half a dozen countries.
The hacker group known by names such as APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy, exploited the vulnerability identified as CVE-2026-21509 less than 48 hours after Microsoft issued an urgent security update last month. After reverse-engineering the patch, the group developed an advanced exploit to deploy two previously unseen backdoor implants.
Stealth, Speed, and Precision
The operation was meticulously crafted to evade detection by endpoint protection systems. The exploits and payloads were encrypted and executed in memory, making them hard to detect. Initial infections stemmed from previously compromised government accounts that were recognizable to targeted email recipients. Furthermore, command and control channels operated via legitimate cloud services typically allowed within sensitive networks.
According to researchers at Trellix, the incident highlights how swiftly state-aligned actors can weaponize new vulnerabilities, reducing the time defenders have to patch critical systems. They noted, "The campaignâs modular infection chainâfrom initial phish to in-memory backdoor to secondary implants was carefully designed to leverage trusted channels (HTTPS to cloud services, legitimate email flows) and fileless techniques to hide in plain sight."
Commencing on January 28, the 72-hour spear phishing campaign distributed at least 29 distinct email lures targeting organizations in nine countries, mainly in Eastern Europe. Trellix identified eight specific countries: Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, and Bolivia. The affected organizations included defense ministries (40%), transportation/logistics operators (35%), and diplomatic entities (25%).