23.07.2024
1 min
596
I thought it was just a work file but it’s actually a GRU trap. We’re taking down this sneaky new hack on Ukrainians in plain English: how hackers read your mail, how they hide code inside photos and why your antivirus might not alert you. Learn how to protect yourself.
January 2026. Most of us were still trying to get back into the swing of things at work after the holiday season when something much worse was developing in cyberspace. Quietly, without any fanfare, the Russian group known as APT28 (also known as Fancy Bear and working under the GRU) launched a new operation they called Neusploit.
Neusploit may be frightening for many people who’ve spent time in cybersecurity — especially the way they’re going about it.
The focus is not on the fact that they are once again hacking into Ukraine, Poland, or Slovakia — sadly, we’ve grown accustomed to seeing that. The focus is on how they are going about it. Don’t think about ancient viruses that will be blocked by Windows Defender. This time, the GRU boys took some time to prepare, utilizing a vulnerability discovered yesterday.
It begins innocently enough. You receive an email with a completely unremarkable, corporate-type subject line; “Consulting Topics Ukraine,” “Courses” or generic “Bulletin.” Your hand automatically goes to open the attached file. It’s just a regular RTF or DOC file, right? What can possibly go wrong?
What happens is CVE-2026-21509.
That’s the code for the brand-new vulnerability in Microsoft Office. Once you open the document, a hidden script begins carrying out its nefarious activities. Furthermore, the hackers set up their servers to operate as snipers rather than as machine guns.
When your computer attempts to contact the server, it checks: “Where are you coming from?” If the request appears to be originating from the United States or Western Europe — silence. The server becomes dormant. However, if the IP address is Ukrainian, Romanian or Slovak — “welcome” — here is your package of viruses. This is referred to as geo-fencing, which permits them to remain undetected by Western antivirus laboratories for a considerable amount of time.
At that point, depending upon which plot unfolds, either of two scenarios occur — both of which are disastrous.
Consider an invisible man moving into your apartment. He breaks no dishes; he steals no money. He simply resides in your apartment and duplicates all of your correspondence. That is precisely the manner in which MiniDoor functions. MiniDoor is a malicious macro that integrates itself directly into Outlook. It operates brazenly and deceptively in the following manner:
• Waits for you to sign in.
• Pauses for six seconds (to prevent lagging and so you won’t suspect anything).
• Begins to scan through your folders: “Inbox,” “Drafts,” and “Spam.”
• Copies the emails and transmits them to the hackers.
• And now — the icing on the cake. To guarantee that you will not observe the outgoing emails, the virus instantly removes them from the “Sent” folder. Clean work. You’re conversing with colleagues, business associates, the military — and duplicate versions of these communications are currently sitting on servers in Moscow.
If the initial choice is a pickpocket, then the second choice is a SWAT team taking over a building. In this case, the hackers applied actual technological wizardry. In order to circumvent contemporary defensive technologies, they utilized steganography. Remember spy movies? This is it. A picture titled SplashScreen.png is downloaded onto your computer. A typical image, nothing particularly unusual. However, if you take it apart down to the atomic level (or, rather, down to the byte-level), you’ll discover that a number of pixels contain altered bits. Although the human eye cannot detect this, a specialized loader can read programming code from the picture.
Essentially, they embedded a cyber weapon within a digital picture.
However, that’s not all. Prior to executing the virus, the virus checks whether it is being monitored. It employs a time-based deception tactic: it records the current time, orders the processor to “sleep” for three seconds, and examines the clock once again. If the passage of time in the system does not appear to be identical to that experienced in the actual world (a common occurrence on the virtual machines employed by antivirus companies), the virus recognizes that “it is a trap!” — and self-destructs without indicating its existence.
The most intriguing aspect is how these applications “call home.” Typically, administrators deny access to suspicious traffic. However, in this instance, the virus (specifically the Covenant Grunt component) utilizes the API of a legitimate cloud storage provider, Filen, to establish communication.
Therefore, to security personnel, it appears to be an employee merely uploading work files to the cloud. No one notices the deception. Perfect concealment.
We must confront reality: we are at war. And this conflict is not solely fought in the trenches — it is also waged in networks and servers. APT28 is comprised of skilled individuals. They evolve, they study Ukrainian (the documents were well-localized), and they seek out novel vulnerabilities in software.
Can you safeguard yourself? Absolutely. Firstly, update. Microsoft has already issued a patch for this flaw (CVE-2026-21509). If you have an older version of Office downloaded from “torrents” or you merely disregard the “update” button — you are the ideal candidate for exploitation. Secondly, activate your paranoia. If you received a .doc or .rtf file from a stranger or even a buddy but with unusual text — don’t open it. It would be far better to phone them and inquire: “Did you transmit something?”
The tale of Neusploit serves as yet another reminder: in today’s world, there exists no safe “rear.” If you possess a computer and the Internet, you are currently engaged in combat. Therefore, be vigilant.
