APT28 - Geofencing as a Targeting Signal (CVE-2026-21509 Campaign)

APT28 - Geofencing as a Targeting Signal (CVE-2026-21509 Campaign)

Since the beginning of this year, we have observed an increased number of attacks by APT28 targeting various European countries. In multiple campaigns, the group actively leverages the Microsoft Office vulnerability CVE-2026-21509 as an initial access vector. This vulnerability is caused by an allowlist gap around Shell.Explorer.1, which Office still instantiates. WebDAV is only used as a delivery mechanism.

Attackers embed a Shell.Explorer.1 OLE object inside an RTF document. When Word parses the file, the object gets reconstructed and instantiated normally, because from Office’s point of view, it is still considered allowed. This is merely a forgotten COM class. Once loaded, the embedded browser object calls Navigate() and points to a remote resource, usually a .lnk file, which then becomes the actual execution vector. The document itself carries no payload; its only purpose is to reach a state where Shell.Explorer.1 is active and allowed to fetch external content. The vulnerability is triggered solely because this specific ProgID is still allowed.

While analyzing the documents and extracted URLs, it became apparent that they reference potential target regions: /cz/ -> Czech Republic, /buch/ -> Bucharest / Romania, and /pol/ -> Poland. Additional indicators inside the Word documents further support this assessment, including Romanian language content, references to Ukraine, mentions of Slovenia, and EU-related context. Russian threat actors are known to rely heavily on geofencing, and APT28 is no exception. This behavior can be turned into a useful source of intelligence.

To protect against these attacks, it is recommended to update Microsoft Office and enforce a structured update routine. Additionally, treat unexpected Word documents as untrusted and have them analyzed before opening them.

For more details, check out the full article: Read full article