{ "id": "0eb888f8-f87e-45b9-a5e7-573944225fc1", "created_at": "2026-04-06T00:17:09.191757Z", "updated_at": "2026-04-10T13:12:43.752946Z", "deleted_at": null, "sha1_hash": "4fd0ac0341d244838df84dd2e12e1735f6bfa4af", "title": "Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98357, "plain_text": "Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz\r\nBy Sudeep Singh, Roy Tay\r\nPublished: 2026-02-02 · Archived: 2026-04-05 19:44:07 UTC\r\nTechnical Analysis\r\nIn the following sections, ThreatLabz discusses the technical details of Operation Neusploit, including how the\r\nbackdoors and stealers function and how they were deployed. We observed two variants of the attack chain. Both\r\nvariants begin with a specially crafted RTF file that weaponizes CVE-2026-21509 and, after successful exploitation,\r\ndownloads a malicious dropper DLL from the threat actor’s server. There are two variants of this dropper DLL that\r\ndeploy different components. We will discuss both the variants in the following sections.\r\nDropper Variant 1\r\nThe first dropper variant DLL is responsible for deploying a malicious Microsoft Outlook Visual Basic for\r\nApplications (VBA) project named MiniDoor. MiniDoor’s primary goal is to steal the user’s emails and forward\r\nthem to the threat actor.\r\nMiniDoor dropper DLL analysis\r\nMiniDoor is a lightweight 64-bit DLL written in C++. The malicious functionality is implemented in the exported\r\nfunction: UIClassRegister. The DLL does not use code obfuscation and includes two variants of string decryption:\r\nStrings decrypted using a hardcoded 1-byte XOR key (0x3a).\r\nEncrypted strings prefixed with a 1-byte XOR key, which is then used to decrypt the strings.\r\nBelow are the key functionalities of this DLL.\r\nCreates a mutex with the static name adjgfenkbe.\r\nA 58-byte XOR key is first decrypted using a single-byte XOR key (0x3a). The decrypted\r\nstring, savntjkengkvnvblhfbegjbtnhkwrenvbjjnkhejhkwenrjvbejbrbrncbis, is then used as a rolling XOR key to\r\ndecrypt the Outlook VBA project stored (encrypted) inside the .rdata section of the DLL.\r\nCreates the directory structure %appdata%\\Microsoft\\Outlook\\ recursively if it does not already exist.\r\nWrites the decrypted VBA project (MiniDoor) to %appdata%\\Microsoft\\Outlook\\VbaProject.OTM.\r\nSets the relevant Windows registry keys to downgrade Outlook security and allow the malicious project to\r\nload automatically each time Microsoft Outlook launches.\r\nThe table below shows the registry keys set by the dropper.\r\nhttps://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nPage 1 of 6\n\nSubkey Value Name Value Description\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Outlook\\Security Level 1\r\nEnables all\r\nmacros in\r\nMicrosoft\r\nOutlook.\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook\\Options\\General PONT_STRING 0x20\r\nDisables the\r\n\"Content\r\nDownload\r\nWarning\"\r\ndialog box.\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook LoadMacroProviderOnBoot 1\r\nEnsures\r\nmacro\r\nprovider\r\nloads when\r\nthe\r\nMicrosoft\r\nOutlook\r\napplication\r\nstarts.\r\nTable 1: The registry keys set by the MiniDoor DLL dropper to steal email from Microsoft Outlook.\r\nMiniDoor analysis\r\nThreatLabz named this VBA-based malware MiniDoor, as it appears to be a minimal version of NotDoor reported\r\nby Lab52. Similar to NotDoor, MiniDoor collects emails from the infected machine, but does not support the email-based commands implemented in NotDoor. Below are key functionalities of the Outlook VBA.\r\nMonitors the MAPILogonComplete event which occurs after the Outlook user has logged on. Once triggered,\r\nthe macro sleeps for 6 seconds before iterating through four folders in the user’s mailbox..\r\nTwo pre-configured email addresses are hardcoded in the VBA macro by the threat actor:\r\nahmeclaw2002@outlook.com\r\nahmeclaw@proton.me\r\nThe SearchNewMessageAndHandle method searches the following folders for existing emails.\r\nInbox\r\nRssFeeds\r\nJunk\r\nhttps://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nPage 2 of 6\n\nDrafts\r\nThe stealing functionality is implemented in the ForwardEmail method, which iterates over each folder’s\r\ncontents and, for each message that was not already forwarded:\r\nSaves a local copy to %TEMP%\\temp_email.msg.\r\nDrafts a new email, attaches temp_email.msg, and sends the email to both configured recipient\r\naddresses.\r\nSets the DeleteAfterSubmit property of the mailItem to true to ensure that no copy of the message is saved in\r\nthe Sent folder after it is forwarded to the threat actor.\r\nFor each Outlook message that is forwarded, the macro sets the AlreadyForwarded property to Yes to prevent\r\nthe same message from being forwarded twice.\r\nHandles the Application_NewMailEx event (triggered when new emails are received) by forwarding the\r\nreceived email to the above-mentioned email addresses.\r\nThe complete MiniDoor macro code is available in the ThreatLabz GitHub repository.\r\nDropper Variant 2\r\nIn the second dropper variant, the infection chain is more complex and involves multiple stages. Similar to the first\r\ndropper variant, after successful exploitation of CVE-2026-21509, the attack chain downloads a tool that ThreatLabz\r\nnamed PixyNetLoader, which drops malicious components on the endpoint and sets up the Windows environment to\r\nstart the infection chain.\r\nPixyNetLoader analysis\r\nThe dropper DLL used in variant 2 of the attack chain is new and previously undocumented.\r\nPixyNetLoader’s string decryption mechanism is similar to the MiniDoor dropper DLL. Below are the key\r\nfunctionalities.\r\nCreates a mutex with the name asagdugughi41.\r\nChecks for the presence of EhStoreShell.dll at %programdata%\\USOPublic\\Data\\User\\EhStoreShell.dll.\r\nIf EhStoreShell.dll is not found at location above, then the main dropper logic is invoked.\r\nAll the embedded payloads are encrypted using a 0x47 byte long rolling XOR\r\nkey: shfioehh243t3dcwechortjbo6k7pjl8lop7ku45ht3u4grywefdyehriobjojko5k65iyh. They are decrypted and\r\ndropped to the file system locations in the table below:\r\nLocation Size (in bytes)\r\n%programdata%\\Microsoft OneDrive\\setup\\Cache\\SplashScreen.png 0x39649\r\n%programdata%\\USOPublic\\Data\\User\\EhStoreShell.dll 0x36200\r\nhttps://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nPage 3 of 6\n\nLocation Size (in bytes)\r\n%temp%\\Diagnostics\\office.xml 0xDE4\r\nTable 2: Decrypted embedded payloads, including their file system drop locations and corresponding sizes.\r\nUses COM object hijacking to establish persistence. EhStorShell.dll is the legitimate name for the Enhanced\r\nStorage Shell Extension DLL. By setting the Windows registry keys listed in the table below, PixyNetLoader\r\nensures that the next-stage malicious shellcode loader DLL is loaded each time the explorer.exe process starts.\r\nsubKey ValueName Value\r\nSoftware\\Classes\\CLSID\\\r\n{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\\InProcServer32Null %programdata%\\USOPublic\\Data\\User\\EhStoreShell.dll\r\nSoftware\\Classes\\CLSID\\\r\n{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\\InProcServer32ThreadingModel Apartment\r\nTable 3: Windows registry keys set by PixyNetLoader to ensure persistence.\r\nExecutes the following command using the CreateProcess Windows API to set up a Windows scheduled task.\r\nThis command leverages the previously dropped office.xml file to configure the scheduled task as shown\r\nbelow.\r\nschtasks.exe /Create /tn \"OneDriveHealth\" /XML \"%temp%\\Diagnostics\\office.xml\"\r\nThe Windows scheduled task is named OneDriveHealth and configured to launch the command below exactly one\r\nminute after the task is registered. The OneDriveHealth scheduled task launches the following command:\r\n \r\n %windir%\\system32\\cmd.exe\r\n /c (taskkill /f /IM explorer.exe \u003enul 2\u003e\u00261) \u0026 (start explorer \u003enul 2\u003e\u00261) \u0026 (schtasks /delete /f /tn OneDriveHe\r\n \r\nThe complete office.xml Windows scheduled task configuration file is available in the ThreatLabz GitHub repository.\r\nShellcode loader analysis\r\nhttps://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nPage 4 of 6\n\nThe dropped DLL EhStoreShell.dll is loaded in the explorer.exe process. Its key functionality is to extract shellcode\r\nembedded using steganography in the file named SplashScreen.png (that was previously dropped) and execute it.\r\nThe string decryption in the EhStoreShell.dll is similar to the MiniDoor dropper DLL. In addition, all the API names\r\nare resolved at runtime using the DJB2 API hashing algorithm.\r\nBelow are the key functionalities:\r\nLoads the legitimate version of EhStorShell.dll.\r\nResolves addresses for the following exports from the legitimate DLL:\r\nDllCanUnloadNow\r\nDllGetClassObject\r\nDllRegisterServer\r\nDllUnregisterServer\r\nOverwrites the export addresses in the malicious EhStoreShell.dll with the API addresses above to proxy the\r\nexecution to the legitimate version of EhStorShell.dll. This is done to preserve the functionality of the COM\r\nservice.\r\nConditional execution of malicious functionality\r\nThe EhStoreShell.dll executes its malicious logic only when both of the following conditions are met:\r\nChecks the host process that loaded the DLL. The malicious functionality is invoked only when the host\r\nprocess is explorer.exe. If the host process is not explorer.exe, then the code remains dormant.\r\nChecks whether the Sleep() API is short circuited (a common implementation used by several sandboxes) to\r\ndetect the analysis environment. This check is implemented as shown below.\r\nCalculates current timestamp by calling std::chrono::steady_clock::now().\r\nCalls Sleep() to delay execution by 3 seconds.\r\nCalculates current timestamp again by calling std::chrono::steady_clock::now().\r\nIf the difference between the current timestamp and the previous timestamp is greater than 2.9 seconds,\r\nonly then it continues with the malicious activity. If the difference is less than 2.9 seconds, then the\r\ncode assumes that the Sleep() API call has been tampered with.\r\nPNG steganography and shellcode loader\r\nOnce all the checks pass, EhStoreShell.dll creates a new thread using beginthreadex. The thread start function\r\nperforms the following actions:\r\nDecrypts the PNG path, %programdata%\\Microsoft OneDrive\\setup\\Cache\\SplashScreen.png, then expands\r\nenvironment variables to obtain the full file path.\r\nUses steganography to extract the malicious shellcode from the PNG file.\r\nEach pixel of the PNG image is represented by 4 bytes (1 byte per channel) for the red, green, blue, and\r\nalpha channels.\r\nThe Least Significant Bit (LSB) of each byte represents an encoded data bit, hence each byte of\r\nencoded data is stored within 8 bytes of image data (or 2 pixels)\r\nhttps://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nPage 5 of 6\n\nThe first 4 bytes of encoded data represents the payload size in little endian byte order and is followed\r\nby the cleartext payload itself.\r\nCreates a mutex named dvyubgbqfusdv32.\r\nThe complete code to extract the shellcode from the PNG file is available in the ThreatLabz GitHub repository.\r\nThe shellcode is executed by the EhStoreShell.dll via the following actions:\r\nAllocates executable memory using the native Windows API NtAllocateVirtualMemory.\r\nCopies the extracted shellcode into the newly allocated memory region.\r\nTransfers execution to the shellcode.\r\nShellcode analysis\r\nThe main purpose of this 64-bit shellcode is to load a .NET assembly embedded inside it. In order to load a managed\r\nassembly from native code, the shellcode uses the CLR hosting technique. Below are the key steps used to achieve\r\nmanaged code execution in-memory from unmanaged code.\r\nLoads the mscoree.dll and oleaut32.dll libraries.\r\nInitializes the .NET runtime by calling CLRCreateInstance (exported by mscoree.dll).\r\nRequests the ICLRMetaHost interface, selects the .NET version v4.0.30319, and initializes ICorRuntimeHost\r\ninterface.\r\nRetrieves the application domain by calling ICorRuntimeHost::GetDefaultDomain, then queries this object to\r\nobtain the _AppDomain interface.\r\nUses SafeArrayCreate and SafeArrayAccessData methods to copy 0xfc00 bytes of the embedded .NET\r\nassembly into the array.\r\nCalls _AppDomain::Load_3 to load the .NET assembly passed via SafeArray, enabling in-memory execution\r\nof the .NET assembly.\r\nRetrieves the entrypoint of the .NET assembly and invokes it using MethodInfo::Invoke_3.\r\nCovenant Grunt analysis\r\nThe embedded .NET assembly is a Grunt implant associated with the open source .NET Covenant C2 framework. In\r\nthis sample, the implant uses the Filen API as a C2Bridge to communicate and receive tasks from the threat actor.\r\nThis abuse of legitimate APIs was previously observed in other Covenant Grunt implants linked to APT28 by\r\nThreatLabz and other researchers. \r\nStrings in this sample are XOR-encoded with the hardcoded string EIZ4EG2K8R and then Base64-encoded. These\r\ninclude the domains for querying the Filen API, the Authorization Bearer Token, and Filen parent folder UUID\r\n(fe644d8c-2601-46ea-bf7d-3db110aa08d4).\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nhttps://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit" ], "report_names": [ "apt28-leverages-cve-2026-21509-operation-neusploit" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434629, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fd0ac0341d244838df84dd2e12e1735f6bfa4af.pdf", "text": "https://archive.orkl.eu/4fd0ac0341d244838df84dd2e12e1735f6bfa4af.txt", "img": "https://archive.orkl.eu/4fd0ac0341d244838df84dd2e12e1735f6bfa4af.jpg" } }