The Russian-state threat group behind APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy wasted no time exploiting CVE-2026-21509, targeting diplomatic, maritime, and transportation organizations in nine countries. The attack unfolded within 48 hours of Microsoft releasing an urgent security update.
Researchers from Trellix say the attackers developed an advanced in-memory exploit that deployed two new backdoors, BeardShell and NotDoor, after reverse-engineering the patch. The campaign was designed to be stealthy: payloads were encrypted and executed in memory, avoiding disk writes.
The infection chain began with compromised government accounts, likely used by trusted email holders, and progressed through legitimate cloud-based command-and-control channels to avoid standard network controls.
Trellix notes the spear-phishing wave delivered at least 29 lures, targeting 40 percent defense ministries, 35 percent transport/logistics operators, and 25 percent diplomatic entities. The victims were concentrated in Eastern Europe and nearby regions.
Experts warn that CVE-2026-21509 demonstrates how quickly state-backed actors can weaponize new flaws, shrinking the window for defenders to patch critical systems. The campaign’s modular approach—phish, in-memory backdoors, and cloud-based C2—highlights the growing use of trusted channels to mask malicious activity.
“The campaign’s rapid execution and cloud-based C2 show how defenders must act fast to patch critical systems,” Trellix researchers said.
