Russia-linked APT28 hackers have quickly started exploiting a newly discovered zero-day vulnerability in Microsoft Office, identified as CVE-2026-21509. Ukraine's national cyber defense team, CERT-UA, reported that the exploit was being used to target Ukrainian government agencies and organizations across the EU just days after Microsoft disclosed the flaw. The first malicious document, titled "Consultation_Topics_Ukraine(Final).doc," appeared publicly on January 29, with its metadata indicating it was created only two days after Microsoft’s warning. The attack chain begins when users open a malicious DOC file, which initiates a WebDAV connection to download a shortcut file. This leads to the installation of a DLL disguised as a legitimate Windows component, and the attackers use COM hijacking to maintain persistence. They deploy the COVENANT post-exploitation framework to further their infiltration while routing their traffic through legitimate cloud storage services, making detection by security systems more difficult. CERT-UA has advised organizations to monitor or block traffic related to the Filen service. The campaign is not limited to Ukraine; CERT-UA identified additional documents targeting EU organizations around the same time. One concerning detail is that attackers registered a domain for delivering the payload on the same day they used it, indicating a rapid adaptation to evade detection. While Microsoft has issued patches for the vulnerability, CERT-UA expressed concerns about the slow uptake of these updates among users, warning that cyberattacks leveraging this vulnerability are likely to increase.