Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations

Campaign
First reported
Last updated
Happening score
H score 56
3 unique sources, 3 articles

Summary

Hide ▲

Fancy Bear (APT28) is linked to an active espionage campaign that used a custom Covenant implant and BeardShell against Ukrainian targets since April 2024. According to ESET, recent activity also targeted central executive bodies of Ukraine through malicious DOC files exploiting CVE-2026-21509 in Microsoft Office. The operation used cloud services including Icedrive, Filen, Koofr, and pCloud for command-and-control, with Covenant as the primary implant and BeardShell as fallback.

Related Happenings

Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities

Campaign
First: 14.05.2026 17:00 Last: 14.05.2026 17:00 Sources 1

About this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...

Open Happening

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

UAC-0247 phishing-led malware campaign targeting Ukrainian government and healthcare institutions

Campaign
First: 16.04.2026 09:20 Last: 16.04.2026 09:20 Sources 1

About this happening: A **March-April 2026** **UAC-0247** phishing campaign targeted **Ukrainian government** and **municipal healthcare organizations**, using **malware delivery** to steal data from *...

Open Happening

Storm-1175 high-tempo Medusa ransomware campaign

Campaign
First: 07.04.2026 13:02 Last: 07.04.2026 13:02 Sources 1

About this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

Timeline

  1. 10.03.2026 12:00 1 articles · 2mo ago

    APT28 uses custom Covenant and BeardShell against Ukrainian targets

    Campaign Scope Update

    ESET says APT28 has used a custom variant of Covenant together with BeardShell since April 2024 against Ukrainian targets, including Ukrainian military personnel and central executive bodies of Ukraine, with recent attacks exploiting CVE-2026-21509 in Microsoft Office via malicious DOC files. Covenant is the primary implant and BeardShell is the fallback, while Icedrive, Filen, Koofr, and pCloud are used for C2 infrastructure.

    Show sources
    Open in new tab
  2. 02.02.2026 14:45 2 articles · 3mo ago

    Malicious Word document created

    Technical Analysis Update

    A Word DOC file named Consultation_Topics_Ukraine(Final).doc was created in the morning of January 27 and contained an exploit for CVE-2026-21509. The file was tied to COREPER consultations about the situation in Ukraine, showing that the exploit chain was being prepared immediately after public disclosure.

    Show sources
    Open in new tab
  3. 02.02.2026 14:45 1 articles · 3mo ago

    CERT-UA identifies the delivery and payload chain

    Detection Ioc Update

    CERT-UA found Consultation_Topics_Ukraine(Final).doc on January 29 and received partner reports about emails purportedly from the Ukrainian Hydrometeorological Center carrying BULLETEN_H.doc to over 60 addresses, mostly Ukrainian central executive authorities. Opening the document triggered a WebDAV connection, a disguised LNK download, COM hijacking, the scheduled task OneDriveHealth, and execution of Covenant, with Filen used for C2 infrastructure.

    Show sources
    Open in new tab
  4. 26.01.2026 02:00 1 articles · 4mo ago

    Microsoft discloses CVE-2026-21509

    Initial Disclosure

    Microsoft disclosed CVE-2026-21509 in Microsoft Office on January 26 and confirmed evidence of exploitation in the wild. The flaw is an over-reliance on untrusted inputs in a security decision and affects Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise, where it can bypass OLE mitigations.

    Show sources
    Open in new tab