Skip to content
logo The magazine for digital lifestyle and entertainment
A brand of Bild
Microsoft News Security All topics
Protection Only After Update

Hackers Exploit Zero-Day Vulnerability in Microsoft Office for Attacks

Hackers are currently targeting Microsoft Office—a serious security flaw is allowing the spread of malware.
Hackers are currently targeting Microsoft Office—a serious security flaw is allowing the spread of malware. Photo: Getty Images
Share article
Adrian Mühlroth

February 4, 2026, 2:05 pm | Read time: 3 minutes

Just last week, Microsoft warned of a critical zero-day security vulnerability in Microsoft Office. Only a few days later, it became known that a well-known hacker group was already actively exploiting the vulnerability for cyberattacks. Users must take action to protect themselves.

Hacker Group Attacks Targets in Central and Eastern Europe

In January, security researchers from Zscaler’s ThreatLabz identified a new attack campaign, which they have since tracked as “Operation Neusploit.” The attacks are attributed to the Advanced Persistent Threat group APT28, which is linked to Russia. APT28 has been known for state-sponsored cyber operations for years. The hackers exploit the vulnerability CVE-2026-21509 in Microsoft Office, which allows malware to enter the computer through manipulated text files.

The attack vector is based on manipulated text files in Rich Text Format (RTF). The attackers use social engineering emails with seemingly legitimate content to deliver the RTF files via attachments to the victims’ computers. The goal is to persuade recipients to open the files, triggering the infection. “Operation Neusploit” primarily targets Central and Eastern Europe. The emails are written in English, Romanian, Slovak, and Ukrainian.

More on the topic

Multistage, Hard-to-Detect Infection

When the RTF documents are opened, a critical security flaw in Office processing is exploited. The attack occurs without any visible warning or prompt. As a result, attackers can execute arbitrary code on the affected computer and take control.

The infection chain consists of two different variants of so-called droppers—software that can install additional malware on infected systems. Antivirus programs often overlook the droppers because they do not contain malware themselves but deliver it later.

One variant installs MiniDoor, which can read emails in Microsoft Outlook and forward them to the attackers. Additionally, MiniDoor alters the Windows registry to bypass security features and maintain permanent access to Outlook.

A second, significantly more dangerous dropper variant deploys PixyNetLoader, which can subsequently install the Covenant-Grunt implant. This gives attackers command-and-control capabilities, allowing them to control the entire system.

To remain undetected, the droppers deliver the malicious payload only to clearly geographically defined targets. This significantly complicates detection by security researchers.

Microsoft Provides Update for Office

Users of Office 2021, Office 2024, and Microsoft 365 automatically receive a security patch via update. However, a restart of the applications is required to complete the installation.

For Office 2016 and Office 2019, a manual installation of the security update is necessary. Alternatively, Microsoft provides users with a guide to modifying the registry to protect against the attacks immediately.

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.

You have successfully withdrawn your consent to the processing of personal data through tracking and advertising when using this website. You can now consent to data processing again or object to legitimate interests.