SOC Prime Bias: Critical

02 Feb 2026 11:44 UTC

UAC-0001 (APT28) Attacks Using CVE-2026-21509

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
UAC-0001 (APT28) Attacks Using CVE-2026-21509
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

APT28 (tracked as UAC-0001) is exploiting the newly disclosed Microsoft Office flaw CVE-2026-21509 to deliver malicious payloads against Ukrainian government targets and organizations across the EU. The intrusion begins with a weaponized DOC that forces a WebDAV request to pull additional components, then sets up COM hijacking to run a DLL-based loader that launches the Covenant framework. The activity also leverages legitimate Filen cloud storage as part of its network infrastructure. The campaign was observed in late January 2026.

Investigation

Analysis of the malicious DOC files showed that opening them in Office initiates a WebDAV connection that downloads a DLL named EhStoreShell.dll along with a PNG shellcode image. The DLL is made persistent via a CLSID COM registration hijack, and a scheduled task named OneDriveHealth is used to trigger explorer.exe, which loads the hijacked COM object. The loader then starts Covenant, with operator control routed through Filen-backed endpoints.

Mitigation

Apply Microsoft’s Office update addressing CVE-2026-21509 without delay. Disable or tightly restrict WebDAV usage within Office where feasible. Remove the malicious CLSID registry registration and delete the OneDriveHealth scheduled task. Block outbound access to Filen domains and related IPs, and monitor endpoints for creation of the noted DLL and PNG artifacts.

Response

Alert on creation of EhStoreShell.dll, SplashScreen.png, and changes under the hijacked CLSID registry path. Detect and investigate scheduled-task creation matching OneDriveHealth. Correlate Office process activity with outbound connections to Filen domains, quarantine related documents, and perform full host forensics on impacted systems.

Attack Flow

Detections

Suspicious Taskkill Execution (via cmdline)

SOC Prime Team
02 Feb 2026

Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)

SOC Prime Team
02 Feb 2026

Possible Explorer COM Hijacking (via registry_event)

SOC Prime Team
02 Feb 2026

Possible Search / Search-MS URI Protocol Handler Abuse (via cmdline)

SOC Prime Team
02 Feb 2026

Potentially Suspicious Scheduled Task Create, Run, Delete Behavior (via process_creation)

SOC Prime Team
02 Feb 2026

Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)

SOC Prime Team
02 Feb 2026

Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)

SOC Prime Team
02 Feb 2026

LOLBAS Regsvr32 (via cmdline)

SOC Prime Team
02 Feb 2026

IOCs (DestinationIP) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509

SOC Prime AI Rules
02 Feb 2026

IOCs (HashSha256) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509

SOC Prime AI Rules
02 Feb 2026

IOCs (HashSha1) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509

SOC Prime AI Rules
02 Feb 2026

IOCs (HashMd5) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509

SOC Prime AI Rules
02 Feb 2026

IOCs (Emails) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509

SOC Prime AI Rules
02 Feb 2026

IOCs (SourceIP) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509

SOC Prime AI Rules
02 Feb 2026

Detection of COM Hijacking via Registry Modification [Windows Registry Event]

SOC Prime AI Rules
02 Feb 2026

Malicious Network Connections Related to APT28 Cyber Attacks [Windows Network Connection]

SOC Prime AI Rules
02 Feb 2026

Suspicious File Creations Masquerading as Enhanced Storage Shell Extension [Windows File Event]

SOC Prime AI Rules
02 Feb 2026

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:
    An adversary has obtained a foothold on the victim machine and wants to achieve persistence and stealthy code execution. They select a rarely‑used CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} that is unlikely to be referenced by legitimate software. Using PowerShell (T1218.010), they write the malicious DLL path into the InProcServer32 sub‑key, optionally setting a ThreadingModel value to "Both" to satisfy COM loading requirements. After registration, any legitimate application that attempts to instantiate this COM object will load the attacker‑controlled DLL, which may subsequently invoke rundll32.exe (T1218.009) to execute a payload that contacts the attacker’s C2 infrastructure (T1584.001).

  • Regression Test Script:

    # -------------------------------
    # COM Hijack Simulation (T1546.015)
    # -------------------------------
    $clsid = '{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}'
    $regPath = "HKLM:SoftwareClassesCLSID$clsidInProcServer32"
    
    # Ensure the key exists
    New-Item -Path $regPath -Force | Out-Null
    
    # Set the default value to a malicious DLL path (assume the DLL is already on disk)
    $maliciousDll = "C:Tempevil.dll"
    Set-ItemProperty -Path $regPath -Name '(Default)' -Value $maliciousDll
    
    # OPTIONAL: set ThreadingModel to Both (some COM objects require this)
    Set-ItemProperty -Path $regPath -Name 'ThreadingModel' -Value 'Both'
    
    Write-Host "[+] Registry hijack created for CLSID $clsid pointing to $maliciousDll"
  • Cleanup Commands:

    # -------------------------------
    # Cleanup COM Hijack Simulation
    # -------------------------------
    $clsid = '{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}'
    $regPath = "HKLM:SoftwareClassesCLSID$clsid"
    
    # Remove the entire CLSID key tree
    if (Test-Path $regPath) {
        Remove-Item -Path $regPath -Recurse -Force
        Write-Host "[+] Removed hijacked CLSID $clsid from registry."
    } else {
        Write-Host "[*] CLSID $clsid not present; nothing to clean."
    }