Russian hackers attacking European maritime and transport orgs using Microsoft Office exploit

Researchers have uncovered additional cyberattacks carried out by Russian state-linked hackers exploiting a Microsoft Office vulnerability as part of what they described as a “sophisticated espionage campaign.”

The activity has been linked to APT28, or Fancy Bear, a Kremlin-backed hacking group that has targeted Ukraine and NATO-aligned countries for more than two decades. 

Earlier this week, Ukraine’s computer emergency response team, CERT-UA, and cybersecurity firm Zscaler reported attacks by the group via the same vulnerability against Ukrainian government agencies and public sector organizations in Slovakia and Romania.

In a report released Wednesday, researchers at the cybersecurity firm Trellix said they observed broader APT28 activity targeting maritime, transportation and diplomatic entities in countries including Poland, Slovenia, Turkey, Greece and the United Arab Emirates.

According to the report, the attacks were part of a “concentrated” 72-hour spearphishing campaign that sent at least 29 distinct emails across nine Eastern European countries.

The hackers exploited a newly disclosed Microsoft Office vulnerability, tracked as CVE-2026-21509, shortly after Microsoft revealed the flaw in late January.

The campaign began with phishing emails carrying malicious Office documents that triggered the exploit automatically, without requiring user interaction, Trellix said. The messages were sent from compromised government email accounts in several countries, including Romania, Bolivia and Ukraine.

Trellix said the attackers used geopolitically themed lures such as weapons-smuggling alerts, NATO and European Union diplomatic invitations, military training notices and emergency weather bulletins. The attached documents were designed to resemble legitimate government correspondence and may have been based on previously stolen material.

Once opened, the files deployed a series of tools, including MiniDoor malware designed to steal email data and PixyNetLoader, which ultimately installed a Covenant backdoor on infected systems, the report said.

The campaign also made extensive use of legitimate cloud services to obscure malicious activity. Trellix said APT28 used the cloud storage platform Filen as a command-and-control channel, allowing the malware to blend in with normal internet traffic.

The hacker group has stepped up operations against Ukraine and its European allies since Russia’s full-scale invasion in 2022 and has a history of rapidly exploiting newly disclosed Office vulnerabilities, often becoming one of the first groups to use them in real-world attacks, according to researchers.

“The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems,” Trellix said.