Russia is hacking zero-days again

Russian hacking group APT28 was observed exploiting a zero-day vulnerability in Microsoft Office (CVE-2026-21509) just one day after its disclosure, targeting Ukrainian government officials via malicious Word documents. The exploit leverages OLE object linking and embedding to trigger a WebDAV connection that downloads a shortcut file, executes shellcode hidden in a PNG file, performs COM hijacking, establishes persistence via scheduled tasks, and deploys Covenant C2 infrastructure using filen.io for command and control. A hands-on walkthrough demonstrates analyzing the malicious RTF file using REMnux, grep, xxd, strings, and a Python OLE scanning script to identify the WebDAV reference and matching CLS ID. Mitigation involves patching to Office 2021 or later, or applying registry key blocks for the relevant COM class IDs.