Russian state linked hackers have begun exploiting a newly patched Microsoft Office vulnerability just days after Microsoft released an emergency security update, according to multiple cybersecurity firms.
The flaw, tracked as CVE 2026 21509, was fixed by Microsoft on January 26 after reports of active exploitation. Security researchers say the Russian hacking group known as APT28 started using the vulnerability within 48 to 72 hours of the patch becoming public.
Researchers from Trellix, Zscaler, and Ukraine’s CERT say the attacks targeted government, military, transport, and diplomatic organizations across Europe and nearby regions. Victims were sent carefully crafted Office files that triggered the flaw as soon as they were opened, without requiring macros or extra user actions.
The attacks relied on phishing emails written in both English and local languages. Once opened, the files installed stealthy malware that ran in memory, avoided antivirus tools, and used trusted cloud services for communication. In several cases, the malware focused on stealing Outlook emails and maintaining long term access to internal systems.
Security analysts say the speed of exploitation shows how quickly state level attackers can reverse engineer patches and turn them into real world attacks. Microsoft and US security agencies have urged organizations to apply the update immediately and restart Office apps to ensure protections are active.
The incident highlights the shrinking window between software patches and active attacks, especially for widely used platforms like Microsoft Office.
For more related updates, visit our website.
