Overview
- CERT-UA and Zscaler report weaponized documents seen on January 29, with metadata showing a lure created on January 27, one day after Microsoft released the patch for CVE-2026-21509.
- Observed attacks install either the MiniDoor Outlook email stealer or a PixyNetLoader chain that uses COM hijacking, a malicious EhStoreShell.dll, steganographic code in SplashScreen.png, and a scheduled task to run a Covenant Grunt implant.
- Targets include Ukrainian government addresses and organizations in Slovakia and Romania, with phishing lures localized by language and themed on EU consultations related to Ukraine.
- Delivery relies on WebDAV downloads and server-side filtering that checks geography and User-Agent strings, with command-and-control traffic routed through the Filen cloud storage service to blend in.
- Microsoft issued out-of-band updates for supported Office versions and advises using Protected View and available registry-based mitigations, while CERT-UA and Zscaler have published indicators of compromise for defenders.