Russian hackers are targeting a new Office 365 zero-day, so patch now or face attack

News
By published

Ukraine's defenders have spotted a new hacking attack

Russia
Et bilde av et tastatur der Enter-knappen har påmalt et russisk flagg, med en liten gullbjørn stående på tasten. (Image credit: Shutterstock / Aleksandra Gigowska)
  • Russian APT28 (Fancy Bear) exploited CVE-2026-21509 in Microsoft Office days after patch release
  • Malicious DOC files sent to Ukrainian government agencies via themed phishing lures
  • CISA added the flaw to its KEV catalog, urging immediate patching

Russian hackers have attacked Ukrainian government agencies using a high-severity Microsoft Office vulnerability mere days after a patch was released.

On January 26, 2026, Microsoft pushed an emergency fix to address CVE-2026-21509, a reliance on untrusted inputs in a security decision vulnerability, that allows unauthorized attackers to bypass Microsoft Office security features locally. The bug was given a severity score of 7.6/10 (high), and was said to have already been abused in the wild as a zero-day.

Just three days later, Ukraine’s Computer Emergency Response Team (CERT-UA) said it saw cybercriminals mailing dozens of government-related addresses malicious DOC files that were exploiting the flaw. Some were themed around the EU COREPER consultations, while others spoofed the country’s Hydrometeorological Center.

How to defend against APT28

CERT says that the attack is the work of APT28, a Russian state-sponsored threat actor also known as Fancy Bear, or Sofacy. The group is linked with the country’s General Staff Main Intelligence Directorate (GRU).

The researchers based their findings on the analysis of the malware loader used in these attacks. Apparently, it is the same one that was used in a June 2025 attack, in which Signal chats were used to deliver BeardShell and SlimAgent malware to Ukrainian government employees. This attack was confirmed to have been conducted by APT28.

To defend against the attacks, CERT-UA advised government entities (and everyone else, basically) to apply the latest patches and update their Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. Office 2021 users were also reminded to restart their applications after updating, to make sure the patches are applied.

The US Cybersecurity and Infrastructure Security Agency (CISA) already added CVE-2026-21509 to its catalog of known exploited vulnerabilities (KEV).

Those that cannot install the patches should make changes in Windows Registry, as mitigation. Microsoft has provided a step-by-step guide which can be found on this link.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.