UAC-0001 (APT28) Attack Detection: russia-Backed Actor Actively Exploits CVE-2026-21509 Targeting Ukraine and the EU

CERT‑UA reported that UAC-0001 (APT28) rapidly weaponized Microsoft Office zero-day CVE-2026-21509 in late January 2026 to deliver the COVENANT framework to Ukrainian state bodies and later EU organizations via malicious Word documents that fetch a shortcut and launch a DLL (EhStoreShell.dll) using COM hijacking and a scheduled task (OneDriveHealth); C2 used Filen cloud storage and metadata shows one sample was created within 24 hours of public disclosure, indicating active exploitation and rapid campaign expansion.