APT28 weaponizes Office flaw in Neusploit to deploy Covenant Grunt
Russia-linked APT28 is exploiting CVE-2026-21509 in Microsoft Office as part of Operation Neusploit, delivering two droppers through malicious RTFs: MiniDoor, an Outlook email stealer, and PixyNetLoader, which loads Covenant Grunt via a steganography-delivered shellcode loader; attacks target Ukraine, Slovakia, and Romania with region- and UA-based checks, and show overlaps with earlier Phantom Net Voxel activity.