Following Microsoft's urgent Office patch release, Russian state-sponsored hackers swiftly exploited a critical vulnerability (CVE-2026-21509). Within 48 hours, groups such as APT28 (also known as Fancy Bear) weaponized the flaw, targeting diplomatic, maritime, and transport organizations across multiple countries with sophisticated malware.

The attackers utilized advanced exploits to install novel backdoors, BeardShell and NotDoor. These were designed to evade detection and operate primarily in memory, making them difficult to detect. The campaign involved spear-phishing, compromising government accounts, and utilizing legitimate cloud services for command and control. Eastern Europe was heavily targeted, including Poland, Ukraine, and Romania.

The infection chain installed backdoors, allowing full system reconnaissance and persistence. NotDoor, a VBA macro, monitored email folders, bundled messages, and sent them to attacker-controlled accounts. Trellix attributed the campaign to APT28 with high confidence, citing technical indicators and targeted organizations. The attackers are known for cyber espionage.

This incident shows how quickly state-aligned actors can exploit new vulnerabilities. Organizations should immediately update their systems and review indicators of compromise. The use of advanced techniques, such as multi-stage malware and cloud service abuse, reflects a well-resourced adversary. Stay vigilant, and keep systems patched on a regular basis.