Since its disclosure and patch release in January 2026, CVE-2026-21509 has been actively exploited by the Russia-linked advanced persistent threat group APT28. The campaign combines spear phishing, evasive execution chains, and cloud-hosted command-and-control infrastructure to minimise detection opportunities and accelerate initial compromise.

This activity reflects a broader shift in advanced threat operations: rapidly operationalising newly disclosed vulnerabilities, leveraging trusted cloud services to blend malicious activity with legitimate traffic, and using multi-stage payload delivery to bypass traditional endpoint defences.

The speed of exploitation highlights the diminishing window between patch release and real-world attacks. This advisory summarises the observed tradecraft, outlines the strategic implications for enterprise security programs, and provides practical recommendations to strengthen detection, response, and resilience against rapidly evolving nation-state tactics.

Read more: Download the full report