https://jh.live/flare-021926 || Manage threat intelligence and your exposed attack surface with Flare! Try a free trial and see what info is out there: https://jh.live/flare-021926

https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
https://www.bleepingcomputer.com/news/security/russian-hackers-exploit-recently-patched-microsoft-office-bug-in-attacks/
https://cert.gov.ua/article/6287250
https://flare.io/learn/resources/blog/from-patch-to-exploit-flares-intelligence-on-cybercrime-after-january-2026-patch-tuesday
https://www.virustotal.com/gui/file/c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f/detection
https://gist.github.com/decalage2/26b6bfcd55c04b98c8474f2b21203e20

Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter

ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense

John Hammond

Russian hacking group APT28 was observed exploiting a zero-day vulnerability in Microsoft Office (CVE-2026-21509) just one day after its disclosure, targeting Ukrainian government officials via malicious Word documents. The exploit leverages OLE object linking and embedding to trigger a WebDAV connection that downloads a shortcut file, executes shellcode hidden in a PNG file, performs COM hijacking, establishes persistence via scheduled tasks, and deploys Covenant C2 infrastructure using filen.io for command and control. A hands-on walkthrough demonstrates analyzing the malicious RTF file using REMnux, grep, xxd, strings, and a Python OLE scanning script to identify the WebDAV reference and matching CLS ID. Mitigation involves patching to Office 2021 or later, or applying registry key blocks for the relevant COM class IDs.

Russia is hacking zero-days again