APT28 attacks involving MSHTML zero-day precede fixes

Russian state-sponsored threat operation APT28 has launched intrusions weaponizing the high-severity MSHTML vulnerability, tracked as CVE-2026-21513, before it was addressed by Microsoft last month, according to Security Affairs.

Analysis of the exploit sample 'document.doc.LnK.download', which was submitted to VirusTotal on Jan. 30, revealed an association with APT28 infrastructure. Execution of the payload that harnesses an LNK file facilitates a connection with the APT28-linked 'wellnesscaremed[.]com' domain, with the exploit leveraging various DOM contexts and nested iframes for trust boundary manipulation. Vulnerable navigation flow stemming from circumventing Mark of the Web and Internet Explorer Enhanced Security Configuration could then enable ShellExecuteExW invocation and code execution outside the browser sandbox, noted the report.

"While the observed campaign leverages malicious .LNK files, the vulnerable code path can be triggered through any component embedding MSHTML. Therefore, additional delivery mechanisms beyond LNK-based phishing should be expected," said researchers.