Russian hackers exploit vulnerability on Microsoft Office

Russian hackers exploit vulnerability on Microsoft Office, release spying malware down victim machine

When it comes to software for use within a long-known office, it can't escape. Microsoft Office, which has later diminished its popularity from more alternatives, but it is still the software of the office. Yet, it has so many security vulnerabilities that it is in favor of hackers, as in this case.

According to a report by the website, The Hacker News mentioned the detection of a new campaign by the hacker group APT28, known as UAC-0001 from Russia, in the use of a Microsoft Office security vulnerability coded CVE-2026-21509, which has a danger rating, or CVSS Score, of up to 7.8. This vulnerability is a security feature bypass vulnerability, resulting in hackers being able to send Microsoft Office files created for a special purpose, sending them to trick the victim into opening them, which leads to malware implantation, according to a research team from Zscaler ThreatLabz. The company, an expert in building security solutions, named the hacker operation that detected Operation Neusploit by a group of research teams that detected the campaign before it was named. It was the work of a research team from Microsoft itself and Google: Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, and Google Threat Intelligence Group (GTIG).

For its part, the attack starts with hackers using deception in the form of social engineering, via phishing email in different languages, depending on which country the victim lives in, while the server side is set up to detect which country the download request came from. The request must only come from the designated country to the server to release a DLL file, a malware file (payload) to the victim's machine. Currently, the hackers have focused on tackling European countries such as Ukraine, Greece, Turkey, Poland, Slovenia. And Middle East countries like the Arab Emirates, where hackers impersonate government organizations to build trust in victims.

Within the fraudulent email mentioned above, inside a Microsoft Office document of the type .RTF or .DOC is attached, which will lead to downloading 2 per-bird malware (Loader).

Verse malware for downloading and installing MiniDoor malware, which is malware for data theft or Infostealer. The emails on Microsoft Outlook software in both Inbox, Junk, and Drafts are sent back to hackers via an email address that is saved as a fixed value (Hardcoded) on malware like ahmeclaw2002@outlook [.] com and ahmeclaw@proton [.] me. This malware comes as a DLL file written on the C + + language. This malware, based on in-depth investigation, has been found to be a malware modified from NotDoor (or GONEPOSTAL) malware.

The malware called PixyNetLoader, used for downloading hacking tools, is called COVENANT. This malware is more complex than the first fowl malware, which initiates a chain attack on the victim or Chain Attack.

In the PixyNetLoader malware section, PixyNetLoader will start by loading a Components element embedded (Embeded) in the Loader. The unlocked file contains a Shellcode Loader in the DLL file format called "EhStoreShell.dll," and an image in the PNG file format called "SplashScreen.png." The Shellcode Loader extracts a Shellcode embedded in the image file for Execution. This Loader will only work if it is not detected in the environment in which the file is being analyzed, and the process that extracts the DLL file. The Loader must be "explorer." If the condition is not complete, the malware will be embedded in the system.

The decoded Shellcode will lead to the loading of the COVENANT hacking tool in the .NET Assembly format, which will connect the control and control network or C2 (Command and Control) to the victim's machine. In addition to embedding malware, the Loader also serves to create system persistence by using COM Object Hijacking.

# Trending # Lemon 8 Howtoo # lemon 8 diary # freedomhack # hackers