Russia-linked APT28 attackers already abusing new Microsoft Office zero-day

Russia-linked attackers are already exploiting Microsoft's latest Office zero-day, with Ukraine's national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU.

In an alert published on Sunday, CERT-UA says the activity is being driven by UAC-0001, better known as "APT28" or "Fancy Bear", and hinges on CVE-2026-21509, a security feature bypass bug in Microsoft Office that Microsoft disclosed last week alongside a warning that attackers were already exploiting it in the wild.

According to CERT-UA, the first weaponized document surfaced just days after Microsoft sounded the alarm about the flaw. A file titled "Consultation_Topics_Ukraine(Final).doc" appeared publicly on January 29 and was themed around EU discussions on Ukraine. File metadata shows it was created on January 27 — the day after Microsoft published details of the flaw — a turnaround time that suggests the exploit ...