Fancy Bear Leveraging CVE-2026-21509 in Operation Neusploit

FANCYBEAR Verticals Targeted: Not specified
Regions Targeted: Central and Eastern Europe
Related Families: MiniDoor, Covenant Grunt, PixyNetLoader

Executive Summary

Operation Neusploit is a campaign attributed with high confidence to the Russia-linked Fancy Bear group, which exploits the zero-day vulnerability CVE-2026-21509 in Microsoft RTF files to deploy backdoors and email stealers targeting users in Central and Eastern Europe. The multi-stage infection chain delivers MiniDoor for email exfiltration from Outlook and PixyNetLoader leading to a Covenant Grunt implant for C2.

Key Takeaways

Fancy Bear weaponized CVE-2026-21509 in RTF documents with social engineering lures in English, Romanian, Slovak, and Ukrainian to target users in Ukraine, Slovakia, and Romania.
Two attack chain variants deploy MiniDoor or PixyNetLoader, which establishes persistence via COM hijacking, steganography in PNG files, and shellcode loading to execute a Covenant Grunt implant.
Server-side evasion restricts malicious DLL delivery to requests from targeted regions with specific User-Agent headers.
Microsoft issued an out-of-band patch for CVE-2026-21509 on January 26, 2026, with in-the-wild exploitation observed shortly after on January 29, 2026.

Exploitation of CVE-2026-21509

Researchers at Zscaler ThreatLabz uncovered a new campaign, designated Operation Neusploit, conducted by the Russia-linked advanced persistent threat group Fancy Bear. This activity leverages a specially crafted Microsoft RTF file to exploit CVE-2026-21509, a vulnerability in RTF parsing that enables arbitrary code execution. Following exploitation, the chain downloads a malicious dropper DLL from an actor-controlled server. Microsoft addressed the vulnerability with an out-of-band update released on January 26, 2026, and active exploitation was detected in the wild by January 29, 2026.

The campaign employs geo-targeted evasion, delivering the malicious payload only when requests originate from the intended regions and match specific User-Agent strings. Social engineering lures appear in English as well as localized languages including Romanian, Slovak, and Ukrainian, aligning with the victimology focused on Central and Eastern European countries, notably Ukraine, Slovakia, and Romania.

ThreatLabz identified two distinct variants of the dropper DLL, each leading to different post-exploitation capabilities. In the first variant, the dropper deploys MiniDoor, a lightweight 64-bit DLL written in C++. This component extracts an encrypted Outlook VBA project using rolling XOR decryption and writes it to %appdata%\Microsoft\Outlook\VbaProject.OTM. It modifies registry keys to downgrade Outlook macro security, enable automatic loading, and suppress warnings, allowing the VBA macro to execute on Outlook startup. MiniDoor monitors Outlook events such as MAPILogonComplete and NewMailEx, iterates over folders including Inbox, RSS Feeds, Junk, and Drafts, saves emails locally, attaches them to new messages, and forwards them to actor-controlled addresses, without retaining copies in the Sent folder. It tracks forwarded messages to avoid duplication.

The second variant introduces PixyNetLoader, a previously undocumented dropper DLL that employs similar string decryption. It checks for the presence of a dropped legitimate-named DLL and, if absent, decrypts and drops multiple payloads using a long rolling XOR key. These include a PNG file containing steganography-hidden shellcode, a malicious EhStoreShell.dll, and an XML for scheduled task creation. Persistence is achieved through COM object hijacking by registering the malicious DLL under a legitimate CLSID, proxying to the real EhStorShell.dll to maintain functionality while loading malicious code in explorer.exe. A scheduled task briefly restarts explorer.exe to trigger loading.

The malicious EhStoreShell.dll, loaded in explorer.exe, performs anti-analysis checks including Sleep() timing to detect sandbox environments. It extracts shellcode from the PNG using LSB steganography, allocates executable memory, and transfers control. The shellcode employs CLR hosting to load and execute an embedded .NET assembly in-memory: a Covenant Grunt implant from the open-source Covenant C2 framework. This implant abuses the Filen API for C2 communications, with strings XOR-encoded and Base64-wrapped, including domains, bearer tokens, and folder UUIDs.

Attribution to Fancy Bear rests on strong overlaps, including victimology matching prior European targeting, MiniDoor as a simplified variant of the Fancy Bear-linked NotDoor, Filen API abuse in Covenant Grunt consistent with previous Fancy Bear operations, and shared techniques such as COM hijacking, DLL proxying, XOR encryption, and PNG steganography observed in related campaigns.

Who is Fancy Bear?

Fancy Bear, also known as APT28, Sofacy, and Sednit, is a highly sophisticated Russian state-sponsored cyber espionage group attributed to Russia's GRU military intelligence agency, specifically Unit 26165. Active since at least 2007, the group specializes in long-term espionage operations, primarily using spear-phishing campaigns, credential harvesting through spoofed websites, and the deployment of custom malware implants to steal sensitive data from targets that align with Russian geopolitical interests.

The group primarily targets Windows systems but has also demonstrated capabilities against Linux/Unix, macOS, iOS, Android, and even network devices such as Cisco routers. Their targeting spans globally but focuses heavily on the United States, Ukraine, NATO member countries, and other European nations such as Germany, France, Poland, and the UK, as well as Georgia, with additional activity observed in Eastern Europe, Western Europe, select Asia-Pacific, and Middle Eastern nations.

The sectors and verticals they target include government and diplomatic institutions, defense and military organizations, aerospace, energy and critical infrastructure, media and journalism, political organizations, NGOs, think tanks, technology and research institutions, dissidents, and logistics/IT companies. Malware families known to be associated with Fancy Bear include X-Agent, Sofacy/SOURFACE, Sednit, Zebrocy, XTunnel, CHOPSTICK, CORESHELL, JHUHUGIT, ADVSTORESHELL, Foozer, WinIDS, DownRange, LoJax, GooseEgg, HeadLace, BeardShell, SlimAgent, and others such as Seduploader and OLDBAIT. CVEs exploited by the group include CVE-2017-6742, various historical zero-days in Microsoft Windows and Adobe Flash, as well as rapid exploitation of Microsoft Office vulnerabilities.

IOCs

PolySwarm has multiple samples associated with Operation Neusploit.

Files Exploiting CVE-2026-21509

b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546

1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50

5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02

fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b

C91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f

PixyNetLoader

0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e

Click here to view all samples of PixyNetLoader in our PolySwarm portal

CovenantGrunt