APT28 weaponizes patched Office flaw to target Ukraine and EU governments
Russian-linked APT28 is exploiting a patched Microsoft Office zero-day (CVE-2026-21509) to attack Ukraine and EU government targets, deploying malicious Word documents that trigger a WebDAV download chain and COM hijacking to load Covenant via EhStoreShell.dll and a hidden image payload, with C2 through Filen cloud storage. The campaign, which impersonated entities like Ukraine's Hydrometeorological Center and EU COREPER, appears broader than Ukraine. Patch all affected Office versions promptly and restart apps after updates; if patching isn't possible, apply registry mitigations; Defender's Protected View provides additional defense against Internet-origin Office files.