Back to Discover

Microsoft releases urgent Office patch. Russian-state hackers pounce.

February 5, 2026
Ars technica
Microsoft releases urgent Office patch. Russian-state hackers pounce.

Here's something that caught my attention — Russian-state hackers jumped on a critical Microsoft Office flaw within just 48 hours of its patch release. According to Dan Goodin at TechCrunch, this group — known as Fancy Bear or APT28 — exploited a vulnerability called CVE-2026-21509 to target diplomatic and transport organizations across multiple countries. Now, here's where it gets wild — researchers found they quickly reverse-engineered the patch and crafted an advanced exploit. This allowed them to install backdoors that ran entirely in memory, making detection a nightmare. The hackers used trusted cloud services for command channels and took advantage of compromised government email accounts, which probably helped them stay under the radar. So what does this actually mean for your security? It’s a stark reminder: even quick patches need to be monitored closely, and nation-state hackers are faster and more stealthy than ever. As Goodin points out, this campaign shows just how sophisticated and rapid these attacks now are — something to watch carefully moving forward.

Russian-state hackers wasted no time exploiting a critical Microsoft Office vulnerability that allowed them to compromise the devices inside diplomatic, maritime, and transport organizations in more than half a dozen countries, researchers said Wednesday.

The threat group, tracked under names including APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy, pounced on the vulnerability, tracked as CVE-2026-21509, less than 48 hours after Microsoft released an urgent, unscheduled security update late last month, the researchers said. After reverse-engineering the patch, group members wrote an advanced exploit that installed one of two never-before-seen backdoor implants.

Stealth, speed, and precision

The entire campaign was designed to make the compromise undetectable to endpoint protection. Besides being novel, the exploits and payloads were encrypted and ran in memory, making their malice hard to spot. The initial infection vector came from previously compromised government accounts from multiple countries and were likely familiar to the targeted email holders. Command and control channels were hosted in legitimate cloud services that are typically allow-listed inside sensitive networks.

Read full article

Comments

Audio Transcript

Russian-state hackers wasted no time exploiting a critical Microsoft Office vulnerability that allowed them to compromise the devices inside diplomatic, maritime, and transport organizations in more than half a dozen countries, researchers said Wednesday.

The threat group, tracked under names including APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy, pounced on the vulnerability, tracked as CVE-2026-21509, less than 48 hours after Microsoft released an urgent, unscheduled security update late last month, the researchers said. After reverse-engineering the patch, group members wrote an advanced exploit that installed one of two never-before-seen backdoor implants.

Stealth, speed, and precision

The entire campaign was designed to make the compromise undetectable to endpoint protection. Besides being novel, the exploits and payloads were encrypted and ran in memory, making their malice hard to spot. The initial infection vector came from previously compromised government accounts from multiple countries and were likely familiar to the targeted email holders. Command and control channels were hosted in legitimate cloud services that are typically allow-listed inside sensitive networks.

Read full article

Comments

View original article
0:00/0:00
Microsoft releases urgent Office patch. Russian-state hackers pounce. | Speasy