Russian hackers exploited an Office vulnerability within 48 hours.
Russian-linked attackers exploited a critical Office vulnerability almost immediately after an emergency patch from Microsoft to compromise organizations in multiple countries.
Rapid exploitation after emergency update
Researchers at security company Trellix report that the threat group APT28, also known as Fancy Bear or Sofacy, exploited vulnerability CVE-2026-21509 less than 48 hours after Microsoft’s unscheduled update was released. By reverse-engineering the patch, the attackers quickly developed an advanced exploit, which they used to install new, previously unknown backdoors.
Targeted and invisible attacks
The campaign ran for 72 hours and targeted diplomatic services, defense organizations, and transportation and logistics companies in countries including Poland, Greece, Ukraine, and the United Arab Emirates. The attacks were designed to avoid detection: the malware ran exclusively in memory, used encrypted components, and abused legitimate cloud services as command-and-control channels.
New backdoors
The researchers identified two incidents: BeardShell and NotDoor. BeardShell allowed full system reconnaissance and lateral movement within networks, while NotDoor monitored Outlook mailboxes and secretly forwarded messages via cloud storage accounts. According to Trellix, the method used, rapid exploit development, modular malware, and abuse of trusted infrastructure are an exact match for APT28.