Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit
Essential information
- Published
- 04/02/2026 14:15
- Modified
- 09/02/2026 12:12
- Tags
- 2026-02-04 CVE-2026-21509 com hijacking covenant eu filen microsoft office ukraine webdav
- Related entities
- 1 vulnerabilities (cve), 34 observables, 1 intrusion sets (apt), 12 techniques (mitre), 1 malware, 5 others
Description
UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hijacking, and the use of the COVENANT framework, which utilizes Filen cloud storage for command and control. The campaign began shortly after the vulnerability's disclosure, with multiple documents discovered containing similar exploits. The attackers employ sophisticated techniques to evade detection and maintain persistence, including disguising malicious files as legitimate Windows components and creating scheduled tasks.