Leveraging of CVE-2026-21509 in Operation Neusploit
Essential information
- Published
- 02/02/2026 22:44
- Modified
- 03/02/2026 09:49
- Tags
- 2026-02-02 CVE-2026-21509 covenant grunt filen api minidoor operation neusploit pixynetloader rtf exploit steganography
- Related entities
- 1 vulnerabilities (cve), 15 observables, 1 intrusion sets (apt), 8 techniques (mitre), 3 malware, 6 others
Description
A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.