APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure

    Thursday, February 5, 2026 In: Threat Research Print

    Date: 02/05/2026

    Severity: High

    Summary

    APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The attackers rapidly exploited a newly disclosed Microsoft Office 1-day vulnerability (CVE-2026-21509) within 24 hours of its release. Spear-phishing documents were used to compromise Ukrainian government agencies and EU institutions. The campaign employs a multi-stage infection chain with new payloads, including a lightweight loader and the NotDoor Outlook VBA backdoor. It also deploys a custom C++ implant, “BeardShell,” and abuses filen.io for command-and-control to blend in with legitimate traffic.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    wellnesscaremed.com

    wellnessmedcare.org

    freefoodaid.com

    longsauce.com

    http://wellnessmedcare.org/cz/Downloads/blank.doc

    https://wellnessmedcare.org/cz/Downloads/document.LnK?init=1

    http://wellnesscaremed.com/buch/Downloads/blank.doc

    https://wellnesscaremed.com/buch/Downloads/document.doc.LnK?init=1

    https://freefoodaid.com/documents/1_1.LnK?init=1

    http://freefoodaid.com/documents/2_1.lNk?init=1

    https://freefoodaid.com/tables//template_tables.doc

    https://freefoodaid.com/tables/tables.lNk?init=1

    http://wellnesscaremed.com/ankara/Favorites/blank.doc

    https://wellnesscaremed.com/ankara/Favorites/document.doc.LnK?init=1

    https://longsauce.com/DAv/DEFault/data.LnK?init=1

    https://longsauce.com/DAv/DEFault/df.doc

    http://wellnesscaremed.com/venezia/Favorites/blank.doc

    https://wellnesscaremed.com/venezia/Favorites/document.doc.LnK?init=1

    http://wellnessmedcare.org/pol/Downloads/blank.doc

    https://wellnessmedcare.org/pol/Downloads/document.LnK?init=1

    http://wellnesscaremed.com/ljub/Downloads/blank.doc

    https://wellnesscaremed.com/ljub/Downloads/document.doc.LnK?init=1

    IP Address : 

    23.227.202.14

    193.187.148.169

    159.253.120.2

    72.62.185.31

    Hash :

    b6a86f44d0a3fa5a5ac979d691189f2d

    969d2776df0674a1cca0f74c2fccbc43802b4f2b62ecccecc26ed538e9565eae

    4727582023cd8071a6f388ea3ba2feaa

    5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02

    1550ae7df233bb9a9c9e78bf8b23607

    e792adf4dff54faca5b9f5b32c1a2df3a6a955e722f1be8df2451c03ed940e41

    045d1e0686f8b4b49b2d9cf48ac821f8

    d213b5079462e737eb940ac46c59e386eb6ca7f8decc95a594b3d8f3b6940010

    2f7b4dca1c79e525aef8da537294a6c4

    1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50

    0df3fde016f3c0974d4aa01b06724a33

    968756e62052f9af80934b599994addbab29f8dc2615c47cda512bae48771019

    4727582023cd8071a6f388ea3ba2feaa

    5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02

    6408276cdfd12a1d5d3ed7256bfba639

    baad1153e58c86aa1dc9346cdd06be53b5dd2a6cf76202536d6721c934008f8e

    41c51784f6d601ffd0e09b7d59ff6025

    b7342b03d7642c894ebad639b9b53fd851d7958298f454283c18748051946585

    58f517bdc9ba8de1b69829b0dcf86113

    be859b4f4576ec09b69a2ef2d119939f7eb31de121aa01d38e1f0b2290f5a15e

    7c396677848776f9824ebe408bbba943

    c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f

    d47261e52335b516a777da368208ee91

    fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b

    c306e0a3ec528368f0b0332104148266

    8b0ab7f7f48bf847c3af570da7dd3e26eda9e4c4ab38e5f97a7cd09b8ace943a9

    7c396677848776f9824ebe408bbba943

    c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f

    859c4b85ed85e6cc4eadb1a037a61e16

    0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e

    e4a5c4b205e1b80dc20d9a2fb4126d06

    a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1

    337cecf067ecf0609b943b54fb246ed2

    7ccf7e8050c66eed69f35159042d8043032f8afe48ae1f51fce75ce2c51395f2

    Email Address : 

    chmilewskii@outlook.com

    chmilewskii@proton.me

    jannet.stillman@outlook.com

    fiscalizacionycontrol@cordoba.gov.ar

    nagipeterson@emailasso.net

    Filepath : 

    C:\ProgramData\USOPublic\Data\User\EhStoreShell.dll

    C:\ProgramData\Microsoft OneDrive\setup\Cache\SplashScreen.png

    C:\Users\*\AppData\Local\Temp\Diagnostics\office.xml

    %APPDATA%\Microsoft\Outlook\VbaProject.OTM

    %TEMP%\temp_email.msg

    Registry Key : 

    HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32

    HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level = 1

    HKCU\Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot = 1

    Process Name : 

    rundll32.exe tables(1).dll

    cmd.exe /c (taskkill /f /IM explorer.exe >nul 2>&1) & (start explorer >nul 2>&1)

    schtasks.exe /Create /tn "OneDriveHealth"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    md5hash IN ("4727582023cd8071a6f388ea3ba2feaa","859c4b85ed85e6cc4eadb1a037a61e16","58f517bdc9ba8de1b69829b0dcf86113","d47261e52335b516a777da368208ee91","e4a5c4b205e1b80dc20d9a2fb4126d06","b6a86f44d0a3fa5a5ac979d691189f2d","2f7b4dca1c79e525aef8da537294a6c4","7c396677848776f9824ebe408bbba943","0df3fde016f3c0974d4aa01b06724a33","6408276cdfd12a1d5d3ed7256bfba639","41c51784f6d601ffd0e09b7d59ff6025","c306e0a3ec528368f0b0332104148266","337cecf067ecf0609b943b54fb246ed2","1550ae7df233bb9a9c9e78bf8b23607","045d1e0686f8b4b49b2d9cf48ac821f8")

    Detection Query 2 :

    sha256hash IN ("1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50","969d2776df0674a1cca0f74c2fccbc43802b4f2b62ecccecc26ed538e9565eae","fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b","c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f","be859b4f4576ec09b69a2ef2d119939f7eb31de121aa01d38e1f0b2290f5a15e","0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e","a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1","5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02","d213b5079462e737eb940ac46c59e386eb6ca7f8decc95a594b3d8f3b6940010","e792adf4dff54faca5b9f5b32c1a2df3a6a955e722f1be8df2451c03ed940e41","968756e62052f9af80934b599994addbab29f8dc2615c47cda512bae48771019","baad1153e58c86aa1dc9346cdd06be53b5dd2a6cf76202536d6721c934008f8e","b7342b03d7642c894ebad639b9b53fd851d7958298f454283c18748051946585","8b0ab7f7f48bf847c3af570da7dd3e26eda9e4c4ab38e5f97a7cd09b8ace943a9","7ccf7e8050c66eed69f35159042d8043032f8afe48ae1f51fce75ce2c51395f2")

    Detection Query 3 :

    resourcename = "Windows Security" and eventtype = "4688" and processname IN ("rundll32.exe","cmd.exe","schtasks.exe") and commandline In ("tables(1).dll","/c (taskkill /f /IM explorer.exe >nul 2>&1) & (start explorer >nul 2>&1)","/Create /tn", "OneDriveHealth")

    Detection Query 4 :

    Technologygroup = "EDR" and processname IN ("rundll32.exe","cmd.exe","schtasks.exe") and commandline In ("tables(1).dll","/c (taskkill /f /IM explorer.exe >nul 2>&1) & (start explorer >nul 2>&1)","/Create /tn", "OneDriveHealth")

    Detection Query 4 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("C:\ProgramData\USOPublic\Data\User\EhStoreShell.dll", "C:\ProgramData\Microsoft OneDrive\setup\Cache\SplashScreen.png", "C:\Users\*\AppData\Local\Temp\Diagnostics\office.xml", "%APPDATA%\Microsoft\Outlook\VbaProject.OTM", "%TEMP%\temp_email.msg")

    Detection Query 5 :

    Technologygroup = "EDR" and objectname IN ("C:\ProgramData\USOPublic\Data\User\EhStoreShell.dll", "C:\ProgramData\Microsoft OneDrive\setup\Cache\SplashScreen.png", "C:\Users\*\AppData\Local\Temp\Diagnostics\office.xml", "%APPDATA%\Microsoft\Outlook\VbaProject.OTM", "%TEMP%\temp_email.msg")

    Detection Query 6 :

    resourcename = "Windows Security" and eventtype = "4657" and objectname IN ("HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32","HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level = 1","HKCU\Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot = 1")

    Detection Query 7 :

    Technologygroup = "EDR" and objectname IN ("HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32","HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level = 1","HKCU\Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot = 1")

    Detection Query 8 :

    sender in ("chmilewskii@outlook.com","chmilewskii@proton.me","jannet.stillman@outlook.com","fiscalizacionycontrol@cordoba.gov.ar","nagipeterson@emailasso.net") or From in ("chmilewskii@outlook.com","chmilewskii@proton.me","jannet.stillman@outlook.com","fiscalizacionycontrol@cordoba.gov.ar","nagipeterson@emailasso.net")

    Detection Query 9 :

    dstipaddress IN ("159.253.120.2","193.187.148.169","23.227.202.14","72.62.185.31") or srcipaddress IN ("159.253.120.2","193.187.148.169","23.227.202.14","72.62.185.31")

    Reference: 

    https://www.trellix.com/blogs/research/apt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2/


    Tags

    Threat ActorVulnerabilityFancy BearCVE-2026RussiaEuropeUkrainianGovernment Services and FacilitiesNotDoorBackdoorAPTUAEDefense Industrial BaseSpear PhishingAPT28PolandTurkey

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.