{
  "name": "Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit",
  "slug": "danger-bulletin-cyberattacks-against-ukraine-and-eu-countries-using-cve-2026-21509-exploit",
  "description": "UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hijacking, and the use of the COVENANT framework, which utilizes Filen cloud storage for command and control. The campaign began shortly after the vulnerability's disclosure, with multiple documents discovered containing similar exploits. The attackers employ sophisticated techniques to evade detection and maintain persistence, including disguising malicious files as legitimate Windows components and creating scheduled tasks.",
  "published": "2026-02-04T13:15:57+00:00",
  "created_at": "2026-02-04T13:15:57+00:00",
  "modified_at": "2026-02-09T11:12:12+00:00",
  "created_at_opencti": "2026-02-04T13:15:57+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-04",
    "CVE-2026-21509",
    "com hijacking",
    "covenant",
    "eu",
    "filen",
    "microsoft office",
    "ukraine",
    "webdav"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "23.227.202.14"
      },
      {
        "id": "",
        "name": "146.0.41.231"
      },
      {
        "id": "",
        "name": "146.0.41.207"
      },
      {
        "id": "",
        "name": "146.0.41.206"
      },
      {
        "id": "",
        "name": "146.0.41.233"
      },
      {
        "id": "",
        "name": "159.253.120.2"
      },
      {
        "id": "",
        "name": "193.187.148.169"
      },
      {
        "id": "",
        "name": "146.0.41.204"
      },
      {
        "id": "",
        "name": "146.0.41.205"
      },
      {
        "id": "",
        "name": "146.0.41.232"
      },
      {
        "id": "",
        "name": "146.0.41.234"
      },
      {
        "id": "",
        "name": "146.0.41.208"
      },
      {
        "id": "",
        "name": "http://wellnesscaremed.com/davwwwroot/buch/Downloads/blank.doc"
      },
      {
        "id": "",
        "name": "http://freefoodaid.com/documents/2_2.lNk?init="
      },
      {
        "id": "",
        "name": "http://wellnesscaremed.com/davwwwroot/venezia/Favorites/blank.doc"
      },
      {
        "id": "",
        "name": "http://freefoodaid.com/documents/template_2_2.doc"
      },
      {
        "id": "",
        "name": "http://wellnessmedcare.org/davwwwroot/pol/Downloads/document.LnK?init="
      },
      {
        "id": "",
        "name": "http://wellnesscaremed.com/venezia/d/sd"
      },
      {
        "id": "",
        "name": "http://wellnessmedcare.org/davwwwroot/cz/Downloads/document.LnK?init="
      },
      {
        "id": "",
        "name": "http://wellnesscaremed.com/buch/Downloads/document.doc.LnK?init="
      },
      {
        "id": "",
        "name": "http://freefoodaid.com/davwwwroot/2_2.lNk?init="
      },
      {
        "id": "",
        "name": "http://wellnesscaremed.com/venezia/Favorites/document.doc.LnK?init="
      },
      {
        "id": "",
        "name": "5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02"
      },
      {
        "id": "",
        "name": "b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546"
      },
      {
        "id": "",
        "name": "8c1dc9732884c6078b23953b78314a8d0d8b8d9fe42e5f97a7cd09b8ace943a9"
      },
      {
        "id": "",
        "name": "9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8"
      },
      {
        "id": "",
        "name": "fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b"
      },
      {
        "id": "",
        "name": "c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f"
      },
      {
        "id": "",
        "name": "b2e771cbfa0a74d0774db162d28c1eecd3a7cb384dfe97522e9baabd1c04d304"
      },
      {
        "id": "",
        "name": "40c2e559992a7f595c593b419930a3f216516c3042ad86fb985348d53b6e01b9"
      },
      {
        "id": "",
        "name": "52b6fb40e7efb09c2bebe8550178e7e30009600bdedd1acae085d753761b7598"
      },
      {
        "id": "",
        "name": "495cf3fd22d4fc2c6c86b689b68141ac7d0130b0bb5cbc834ef59275132ee5c2"
      },
      {
        "id": "",
        "name": "c4389cc34b672c4f885547f413bf38575e6ee2b23a0ddfdd306a69c1775db6fc"
      },
      {
        "id": "",
        "name": "969d2776df0674a1cca0f74c2fccbc43802b4f2b62ecccecc26ed538e9565eae"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:353f9df0ed0fa12a",
        "name": "COVENANT",
        "slug": "covenant"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c3e43cdf-9dde-4127-bbb9-557862d769ca",
        "name": "UAC-0001 (APT28)",
        "slug": "uac-0001-apt28"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2026-21509"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "wellnessmedcare.org"
      },
      {
        "id": "",
        "name": "wellnesscaremed.com"
      },
      {
        "id": "",
        "name": "freefoodaid.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6983549d1f4ab8a67c29cd5b",
    "https://cert.gov.ua/article/6287250"
  ]
}