APT28 Leverages CVE-2026-21509 in Operation Neusploit

Date: 02/03/2026

Severity: High

Summary

In January 2026, Uncovered an in-the-wild campaign dubbed Operation Neusploit targeting Central and Eastern Europe. The attackers used malicious Microsoft RTF files to exploit CVE-2026-21509 and deploy backdoors via a multi-stage infection chain. Strong overlaps in tools, techniques, and procedures link this activity to the Russia-associated APT group APT28 with high confidence. Microsoft issued an out-of-band patch for CVE-2026-21509 on January 26, 2026, followed by observed active exploitation on January 29, 2026. ThreatLabz is working closely with Microsoft while continuing to monitor the campaign. This post details the RTF exploit, payload staging, execution flow, and the MiniDoor, PixyNetLoader, and Covenant Grunt tools with their C2 activity.

Indicators of Compromise (IOC) List

Domains\URLs:

freefoodaid.com

wellnesscaremed.com

https://freefoodaid.com/documents/2_2.d

https://freefoodaid.com/tables/tables.d

https://freefoodaid.com/documents/2_2.lNk

Hash :

95e59536455a089ced64f5af2539a449

4592e6173a643699dc526778aa0a30330d16fe08

b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546

2f7b4dca1c79e525aef8da537294a6c4

c4799d17a4343bd353e0edb0a4de248b99295d4d

1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50

4727582023cd8071a6f388ea3ba2feaa

d788d85335e20bb1f173d4d0494629d36083dddc

5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02

d47261e52335b516a777da368208ee91

c8c84bf33c05fb3a69bc5e2d6377b73649b93dce

fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b

7c396677848776f9824ebe408bbba943

D577c4a264fee27084ddf717441eb89f714972a5

c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f

f3b869a8d5ad243e35963ba6d7f89855

c1b272067491258ea4a2b1d2789d82d157aaf90a

a944a09783023a2c6c62d3601cbd5392a03d808a6a51728e07a3270861c2a8ee

f05d0b13c633ad889334781cf4091d3e

7bbb530eb77c6416f02813cd2764e49bd084465c

bb23545380fde9f48ad070f88fe0afd695da5fcae8c5274814858c5a681d8c4e

859c4b85ed85e6cc4eadb1a037a61e16

da1c3e92f69e6ca0e4f4823525905cb6969a44ad

0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e

e4a5c4b205e1b80dc20d9a2fb4126d06

e52a9f004f4359ea0f8f9c6eb91731ed78e5c4d3

a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1

154ff6774294e0e6a46581c8452a77de

22da6a104149cad87d5ec5da4c3153bebf68c411

2822c72a59b58c00fc088aa551cdeeb92ca10fd23e23745610ff207f53118db9

ee0b44346db028a621d1dec99f429823

cea7e9323d79054f92634f4032c26d30c1cedd7e

9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8

ea6615942f2c23dba7810a6f7d69e2da

23b6f9c00b9d5475212173ec3cbbcff34c4400a7

3f446d316efe2514efd70c975d0c87e12357db9fca54a25834d60b28192c6a69

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "freefoodaid.com" or url like "freefoodaid.com" or siteurl like "freefoodaid.com" or domainname like "https://freefoodaid.com/documents/2_2.d" or url like "https://freefoodaid.com/documents/2_2.d" or siteurl like "https://freefoodaid.com/documents/2_2.d" or domainname like "https://freefoodaid.com/tables/tables.d" or url like "https://freefoodaid.com/tables/tables.d" or siteurl like "https://freefoodaid.com/tables/tables.d" or domainname like "wellnesscaremed.com" or url like "wellnesscaremed.com" or siteurl like "wellnesscaremed.com" or domainname like "https://freefoodaid.com/documents/2_2.lNk" or url like "https://freefoodaid.com/documents/2_2.lNk" or siteurl like "https://freefoodaid.com/documents/2_2.lNk"
Detection Query 2 :	`md5hash IN ("95e59536455a089ced64f5af2539a449","859c4b85ed85e6cc4eadb1a037a61e16","2f7b4dca1c79e525aef8da537294a6c4","4727582023cd8071a6f388ea3ba2feaa","d47261e52335b516a777da368208ee91","7c396677848776f9824ebe408bbba943","e4a5c4b205e1b80dc20d9a2fb4126d06","ea6615942f2c23dba7810a6f7d69e2da","f3b869a8d5ad243e35963ba6d7f89855","f05d0b13c633ad889334781cf4091d3e","154ff6774294e0e6a46581c8452a77de","ee0b44346db028a621d1dec99f429823")`
Detection Query 3 :	sha1hash IN ("c8c84bf33c05fb3a69bc5e2d6377b73649b93dce","e52a9f004f4359ea0f8f9c6eb91731ed78e5c4d3","d788d85335e20bb1f173d4d0494629d36083dddc","23b6f9c00b9d5475212173ec3cbbcff34c4400a7","da1c3e92f69e6ca0e4f4823525905cb6969a44ad","D577c4a264fee27084ddf717441eb89f714972a5","4592e6173a643699dc526778aa0a30330d16fe08","c4799d17a4343bd353e0edb0a4de248b99295d4d","c1b272067491258ea4a2b1d2789d82d157aaf90a","7bbb530eb77c6416f02813cd2764e49bd084465c","22da6a104149cad87d5ec5da4c3153bebf68c411","cea7e9323d79054f92634f4032c26d30c1cedd7e")
Detection Query 4 :	sha256hash IN ("a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1","3f446d316efe2514efd70c975d0c87e12357db9fca54a25834d60b28192c6a69","1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50","b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546","fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b","5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02","0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e","c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f","a944a09783023a2c6c62d3601cbd5392a03d808a6a51728e07a3270861c2a8ee","bb23545380fde9f48ad070f88fe0afd695da5fcae8c5274814858c5a681d8c4e","2822c72a59b58c00fc088aa551cdeeb92ca10fd23e23745610ff207f53118db9","9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8")

Reference:

https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit#introduction

APT28 Leverages CVE-2026-21509 in Operation Neusploit

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

APT28 Leverages CVE-2026-21509 in Operation Neusploit

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments