Russia-linked APT28 Exploits Windows Vulnerabilities in Zero-Click Attacks
AI-generated from multiple sources. Verify before acting on this reporting.
KIEV (AP) — A Russia-linked hacking group known as APT28 exploited newly discovered vulnerabilities in Microsoft Windows to launch zero-click attacks against targets in Ukraine and European Union countries.
The attacks, which began on April 27, 2026, leveraged an incomplete patch for Windows SmartScreen and Windows Shell security prompts. The flaw allowed the group to bypass critical security features and achieve remote code execution on compromised systems.
Microsoft identified two specific vulnerabilities, designated CVE-2026-21510 and CVE-2026-21513, as the entry points for the intrusion. The group, also known by aliases including Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy, utilized the flaws to execute malicious code without user interaction. The attacks involved auto-parsed LNK files designed to steal credentials from targeted machines.
The campaign targeted government and critical infrastructure entities across Ukraine and various EU member states. Security researchers noted that the incomplete nature of the previous security update created a window of opportunity for the attackers to deploy the zero-click exploits.
The vulnerabilities allowed APT28 to bypass Windows security prompts that typically warn users before executing potentially harmful files. By exploiting the flaw in the SmartScreen filter and Shell prompts, the attackers could run code silently in the background.
Microsoft has since released updated patches to address the vulnerabilities. However, the initial incomplete fix left systems exposed for a period of time, enabling the group to conduct the operations. The attacks represent a significant escalation in the use of zero-click techniques against European targets.
The group's activity marks a continuation of state-sponsored cyber operations in the region. Previous campaigns by APT28 have focused on intelligence gathering and disruption of critical systems. The use of LNK files for credential theft is a known tactic employed by the group in past operations.
Security officials in Ukraine and the EU are assessing the full scope of the breach. The attacks occurred during a period of heightened cyber tension in the region. The group's ability to exploit the vulnerabilities suggests a sophisticated understanding of Windows security architecture.
The incident raises questions about the effectiveness of Microsoft's patch management processes. The incomplete nature of the initial fix allowed the vulnerabilities to persist, enabling the attacks. Microsoft has not commented on the specific timeline of the patch deployment or the reasons for the initial incomplete update.
As of now, the full extent of the data compromised remains unclear. Security firms are working with affected organizations to mitigate the impact of the breach. The group's continued activity suggests that further attacks may occur as they seek to exploit remaining vulnerabilities in the region's digital infrastructure.