APT28 Launches Attacks Using New Microsoft Office Bug Insights Desk, February 3, 2026 Cybersecurity firm Zscaler ThreatLabz reported that the newly discovered hacking group began using the MS Office flaw on January 29, 2026, just three days after Microsoft publicly disclosed the issue. The attacks were mainly aimed at users in Ukraine, Slovakia, and Romania. The campaign has been named Operation Neusploit. The vulnerability, tracked as CVE-2026-21509, affects Microsoft Office and allows attackers to bypass built-in security. By sending a specially crafted Office file, attackers can trigger malicious activity without the user realizing what’s happening. In these attacks, hackers used malicious RTF files to deliver harmful software. Depending on the file, one of two tools was installed on the victim’s system. One tool was designed to steal emails, while the other enabled deeper access to the infected computer. The first tool installs an email-stealing program called MiniDoor. This malware quietly collects emails from folders such as Inbox, Junk, and Drafts, and sends them to email addresses controlled by the attackers. Researchers believe MiniDoor is a simplified version of an older email-stealing tool previously linked to the same group. The second tool, known as PixyNetLoader, launches a more complex attack. It installs additional hidden components and ensures the malware stays active even after the system restarts. Some of these components are disguised as normal files, including an image file that secretly contains malicious code. This hidden code only activates under specific conditions, such as when the system appears to be a real user’s computer and not a testing environment. Once triggered, it installs a backdoor that allows attackers to remotely control the system. Security researchers have recommended AI-powered cyber defense to mitigate such attacks in future. They note that APT28 has used malicious techniques in past cyber campaigns, highlighting the group’s continued focus on targeted attacks using newly disclosed software vulnerabilities. Security APTcyber-attacksMDRSecuritythreat actors