UAC-0001 (APT28) Attacks Using CVE-2026-21509
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
APT28 (tracked as UAC-0001) is exploiting the newly disclosed Microsoft Office flaw CVE-2026-21509 to deliver malicious payloads against Ukrainian government targets and organizations across the EU. The intrusion begins with a weaponized DOC that forces a WebDAV request to pull additional components, then sets up COM hijacking to run a DLL-based loader that launches the Covenant framework. The activity also leverages legitimate Filen cloud storage as part of its network infrastructure. The campaign was observed in late January 2026.
Investigation
Analysis of the malicious DOC files showed that opening them in Office initiates a WebDAV connection that downloads a DLL named EhStoreShell.dll along with a PNG shellcode image. The DLL is made persistent via a CLSID COM registration hijack, and a scheduled task named OneDriveHealth is used to trigger explorer.exe, which loads the hijacked COM object. The loader then starts Covenant, with operator control routed through Filen-backed endpoints.
Mitigation
Apply Microsoft’s Office update addressing CVE-2026-21509 without delay. Disable or tightly restrict WebDAV usage within Office where feasible. Remove the malicious CLSID registry registration and delete the OneDriveHealth scheduled task. Block outbound access to Filen domains and related IPs, and monitor endpoints for creation of the noted DLL and PNG artifacts.
Response
Alert on creation of EhStoreShell.dll, SplashScreen.png, and changes under the hijacked CLSID registry path. Detect and investigate scheduled-task creation matching OneDriveHealth. Correlate Office process activity with outbound connections to Filen domains, quarantine related documents, and perform full host forensics on impacted systems.
Attack Flow
Detections
Suspicious Taskkill Execution (via cmdline)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
Possible Explorer COM Hijacking (via registry_event)
View
Possible Search / Search-MS URI Protocol Handler Abuse (via cmdline)
View
Potentially Suspicious Scheduled Task Create, Run, Delete Behavior (via process_creation)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
LOLBAS Regsvr32 (via cmdline)
View
IOCs (DestinationIP) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509
View
IOCs (HashSha256) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509
View
IOCs (HashSha1) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509
View
IOCs (HashMd5) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509
View
IOCs (Emails) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509
View
IOCs (SourceIP) to detect: CERT-UA Bulletin: UAC-0001 (APT28) Attacks Using CVE-2026-21509
View
Detection of COM Hijacking via Registry Modification [Windows Registry Event]
View
Malicious Network Connections Related to APT28 Cyber Attacks [Windows Network Connection]
View
Suspicious File Creations Masquerading as Enhanced Storage Shell Extension [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An adversary has obtained a foothold on the victim machine and wants to achieve persistence and stealthy code execution. They select a rarely‑used CLSID{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}that is unlikely to be referenced by legitimate software. Using PowerShell (T1218.010), they write the malicious DLL path into theInProcServer32sub‑key, optionally setting aThreadingModelvalue to"Both"to satisfy COM loading requirements. After registration, any legitimate application that attempts to instantiate this COM object will load the attacker‑controlled DLL, which may subsequently invokerundll32.exe(T1218.009) to execute a payload that contacts the attacker’s C2 infrastructure (T1584.001). -
Regression Test Script:
# ------------------------------- # COM Hijack Simulation (T1546.015) # ------------------------------- $clsid = '{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}' $regPath = "HKLM:SoftwareClassesCLSID$clsidInProcServer32" # Ensure the key exists New-Item -Path $regPath -Force | Out-Null # Set the default value to a malicious DLL path (assume the DLL is already on disk) $maliciousDll = "C:Tempevil.dll" Set-ItemProperty -Path $regPath -Name '(Default)' -Value $maliciousDll # OPTIONAL: set ThreadingModel to Both (some COM objects require this) Set-ItemProperty -Path $regPath -Name 'ThreadingModel' -Value 'Both' Write-Host "[+] Registry hijack created for CLSID $clsid pointing to $maliciousDll" -
Cleanup Commands:
# ------------------------------- # Cleanup COM Hijack Simulation # ------------------------------- $clsid = '{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}' $regPath = "HKLM:SoftwareClassesCLSID$clsid" # Remove the entire CLSID key tree if (Test-Path $regPath) { Remove-Item -Path $regPath -Recurse -Force Write-Host "[+] Removed hijacked CLSID $clsid from registry." } else { Write-Host "[*] CLSID $clsid not present; nothing to clean." }