top of page
Buscar

Operation Neusploit: APT28 Opens Office Documents, Steals Intelligence

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 3 feb
  • 3 Min. de lectura

What looks like a routine Office document becomes the key that unlocks an espionage operation. In early 2026, Russia-linked APT28 launched Operation Neusploit, exploiting a newly disclosed Microsoft Office vulnerability to silently breach users across Eastern Europe. The campaign blends fresh zero-day exploitation with well-established tradecraft—email theft, covert loaders, steganography, and C2 frameworks—demonstrating how fast state-aligned actors can operationalize newly revealed flaws.


Phase 1 – Weaponized Documents and Targeted Delivery


The intrusion chain begins with malicious RTF and Word documents crafted to exploit CVE-2026-21509, a security feature bypass in Microsoft Office disclosed only days earlier. These files are delivered through carefully localized social-engineering lures written in Ukrainian, Romanian, Slovak, and English, targeting users in Ukraine, Slovakia, and Romania.

To reduce exposure and detection, APT28 implemented server-side evasion. The malicious payload was served only when requests originated from specific geographic regions and included the expected User-Agent headers. Non-matching requests received benign content, sharply limiting forensic visibility.


Phase 2 – Initial Exploitation and Dropper Selection


Once the vulnerable document is opened, the exploit triggers one of two parallel dropper paths, depending on the campaign branch:

  • A lightweight dropper that deploys MiniDoor

  • A more complex loader known as PixyNetLoader

This branching approach allows the actor to balance fast intelligence collection with deeper, long-term access, depending on the victim profile.


Phase 3 – MiniDoor: Silent Outlook Surveillance


In the first path, the exploit drops MiniDoor, a C++-based Outlook email stealer. MiniDoor harvests emails from multiple folders—Inbox, Junk, and Drafts—and forwards them directly to attacker-controlled email addresses.

The malware is assessed to be a stripped-down evolution of NotDoor (GONEPOSTAL), previously documented in 2025. Its purpose is clear: rapid intelligence collection with minimal footprint, ideal for diplomatic, governmental, and policy-related targets.


Phase 4 – PixyNetLoader: Steganography and Persistence


The second and more advanced path deploys PixyNetLoader, which initiates a multi-stage infection designed for persistence and flexibility.

PixyNetLoader:

  • Establishes persistence via COM object hijacking

  • Extracts an embedded shellcode loader DLL

  • Loads a seemingly benign PNG image that secretly contains steganographically embedded shellcode

The loader executes only if:

  • The host is not an analysis or sandbox environment

  • The launching process is explorer.exe

These checks significantly reduce accidental detonation and analyst visibility.


Phase 5 – Covenant Grunt Deployment


Once conditions are met, the hidden shellcode decrypts and loads a .NET COVENANT Grunt implant. This provides APT28 with a fully featured post-exploitation platform capable of remote command execution, tasking, and lateral movement.

This phase closely mirrors Operation Phantom Net Voxel, previously attributed to APT28, with one key evolution: VBA macros have been replaced by DLL-based execution, reflecting adaptation to increased macro-blocking defenses.


Phase 6 – Parallel Campaigns and Scale


CERT-UA independently confirmed exploitation of the same vulnerability in attacks against more than 60 Ukrainian government email accounts, where Word documents triggered WebDAV-based payload retrieval followed by the same PixyNetLoader and Covenant Grunt chain.

This confirms that Operation Neusploit was not a limited test but an active, scalable espionage campaign conducted within days of vulnerability disclosure.


What Data Is Compromised


Across the different infection paths, attackers gain access to:

  • Outlook email content (Inbox, Drafts, Junk)

  • Active Office user context

  • System metadata and host identifiers

  • Persistent remote access via Covenant Grunt

  • Potential lateral movement and follow-on espionage tooling

The objective is intelligence collection, not immediate disruption.


Measures to Defend Against This Campaign


  • Patch Microsoft Office immediately against CVE-2026-21509

  • Disable or restrict RTF and legacy document handling

  • Monitor COM object hijacking and abnormal registry changes

  • Detect WebDAV-based payload retrieval from Office processes

  • Inspect image files for steganographic payload execution

  • Block outbound connections linked to Covenant-style C2 traffic

  • Apply least privilege and restrict Office-spawned child processes

  • Enhance email security with geo-aware and behavior-based detection


Operation Neusploit underscores how modern espionage campaigns blend speed and discipline. APT28 exploited a freshly disclosed Office vulnerability within days, layered it with precise targeting, stealthy loaders, and proven C2 frameworks, and achieved both rapid intelligence theft and long-term access.


The campaign highlights a critical reality: patch latency is now measured in hours, not weeks, and state-aligned actors no longer rely on novelty alone. Instead, they refine trusted techniques—COM hijacking, steganography, selective delivery—to quietly turn everyday documents into intelligence collection platforms.

In 2026, opening the wrong file is still all it takes.



The Hacker News


 
 
 

Comentarios

bottom of page