APT28 Shoved A Tick Through Your Unsheared Office Suite And Nobody Is Surprised

Look. I'm tired. I've been staring at alerts since before the sun came up and I have consumed enough coffee to tranquilize a full-grown ram. So let me just tell you what happened, and you can sit with the shame of it.

APT28, which is a very fancy name for a very persistent coyote that has been gnawing at the same fence for over a decade, found a hole in Microsoft Office. A fresh hole. CVE-2026-21509. Just sitting there, unpatched, because apparently nobody on this earth has time to apply ointment before the wound is already infected.

They crawled through that hole and dropped two particularly nasty parasites: something called MiniDoor, and something called Covenant Grunt. Both of them are the kind of ticks that dig in deep, set up a cozy little home in your wool, and quietly phone back to their handlers while you're busy grazing and doing absolutely nothing useful.

The targets were in Ukraine and Eastern Europe. Real espionage stuff. Targeted, deliberate, and embarrassingly effective.

Now here is the part where I have to ask the question nobody wants to answer.

How many of those initial footholds started because a lamb opened a document they absolutely should not have opened? A little fake grain, dressed up in an official-looking envelope, just waiting for one click from someone in accounting who was "just checking."

Every single time.

The coyote does not need to be clever if the flock is cooperative.

Microsoft has a patch. It exists. It has existed. The ointment is right there in the barn and yet here we are, collectively, with ticks.

Remediation

Fine. Here is what you do. Do it now. Not after your meeting. Now.

1. Patch the thing. Apply the shearing for CVE-2026-21509 immediately. Check your Office versions across every machine in the pasture. All of them. Yes, including Karen's laptop that "runs fine and doesn't need updates."

2. Check for MiniDoor and Covenant Grunt indicators. Hunt through your endpoint logs for unusual outbound connections and any processes that have no business running after an Office document was opened. If something is quietly bleating to an external IP at 3am, that is not normal sheep behavior.

3. Restrict macro execution. If your flock does not need macros to do their jobs, macros should not exist. Disable them via Group Policy and do not accept any argument from the shepherds about "but the quarterly report spreadsheet."

4. Segment the pasture. If a tick gets in, it should not be able to wander freely across the entire field. Network segmentation exists. Use it.

5. Retrain the lambs. I know. I know it doesn't work. Do it anyway. Show them what fake grain looks like. Make them click through the training module. Cry quietly afterward.

Staying awake so you don't have to, which is not a fair arrangement honestly

Original Report: https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html