Russian-state hackers exploit Office flaw days after Microsoft patch

Russian-state hackers exploited a critical Microsoft Office vulnerability to compromise devices inside diplomatic, maritime, and transport organizations in more than half a dozen countries. The threat group, tracked under names including APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy, moved on the flaw tracked as CVE-2026-21509 less than 48 hours after Microsoft released an urgent, unscheduled security update late last month.

After reverse-engineering the patch, group members wrote an advanced exploit that installed one of two never-before-seen backdoor implants. The exploits and payloads were encrypted and ran in memory, making their malice hard to spot. Command and control channels were hosted in legitimate cloud services that are typically allow-listed inside sensitive networks.

The initial infection vector came from previously compromised government accounts from multiple countries and were likely familiar to the targeted email holders.

microsoft office, cve-2026-21509, apt28, fancy bear, sofacy, backdoor implant, memory resident, cloud services, compromised accounts, diplomatic targets