{"id":122,"date":"2026-03-02T11:43:12","date_gmt":"2026-03-02T11:43:12","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=122"},"modified":"2026-03-02T11:43:12","modified_gmt":"2026-03-02T11:43:12","slug":"apt28-tied-to-cve-2026-21513-mshtml-0-day-exploited-before-feb-2026-patch-tuesday","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=122","title":{"rendered":"APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 02, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgGmBYExYY-MdqirvtI7-k2gWDf2rCE5AX4J246DywytJU0hWklJfAxRUKUa6AhU-VFWf2jazsAR1DkpPBHUqv2LsGckfxhVUebrMsnAccaYYmp2L9VJDz4rHaRLxKRgXaYM-UPcFS_ZoyveJxkLu1RunwaIuCBckILFDzMo1mCZtg9zaOmXrOSEEWU7RSg\/s1700-e365\/windows.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>A recently disclosed security flaw patched by Microsoft may have been exploited by the Russia-linked state-sponsored threat actor known as APT28, according to <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/2026\/feb\/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis\" rel=\"noopener\" target=\"_blank\">new findings<\/a> from Akamai.<\/p>\n<p>The vulnerability in question is <strong>CVE-2026-21513<\/strong> (CVSS score: 8.8), a high-severity security feature bypass affecting the MSHTML Framework.<\/p>\n<p>\u00abProtection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network,\u00bb Microsoft <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-21513\" rel=\"noopener\" target=\"_blank\">noted<\/a> in its advisory for the flaw. It was fixed by the Windows maker as part of its February 2026 Patch Tuesday update.<\/p>\n<p>However, the tech giant also noted that the vulnerability had been exploited as a zero-day in real-world attacks, crediting the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, along with Google Threat Intelligence Group (GTIG), for reporting it.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>In a hypothetical attack scenario, a threat actor could weaponize the vulnerability by persuading a victim to open a malicious HTML file or shortcut (LNK) file delivered through a link or as an email attachment.<\/p>\n<p>Once the crafted file is opened, it manipulates browser and Windows Shell handling, causing the content to be executed by the operating system, Microsoft noted. This, in turn, allows the attacker to bypass security features and potentially achieve code execution.<\/p>\n<p>While the company has not officially shared any details about the zero-day exploitation effort, Akamai said it identified a <a href=\"https:\/\/www.virustotal.com\/gui\/file\/aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa\/detection\" rel=\"noopener\" target=\"_blank\">malicious artifact<\/a> that was uploaded to VirusTotal on January 30, 2026, and is associated with infrastructure linked to APT28.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhZSVDvLRSrmtPBEuEbrJ9vlVmD-Is4GdZ1l1McEKvPnQS9HuuAQ0WTAwHn8-JYM4mddUphW4tseJs-605fvxcAJImVKBP0hKA9nOysGGTgNE5j1CqPmKwm5S-8nzqS224lO02zCGxM0F5huJbkAJUq79uItXCrUcPszkXbYouq-wfnKaE91jWYd9ERWbhg\/s1700-e365\/com.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhZSVDvLRSrmtPBEuEbrJ9vlVmD-Is4GdZ1l1McEKvPnQS9HuuAQ0WTAwHn8-JYM4mddUphW4tseJs-605fvxcAJImVKBP0hKA9nOysGGTgNE5j1CqPmKwm5S-8nzqS224lO02zCGxM0F5huJbkAJUq79uItXCrUcPszkXbYouq-wfnKaE91jWYd9ERWbhg\/s1700-e365\/com.jpg\" alt=\"\" border=\"0\" data-original-height=\"512\" data-original-width=\"900\"\/><\/a><\/div>\n<p>It&#8217;s worth noting that the sample was flagged by the Computer Emergency Response Team of Ukraine (CERT-UA) early last month in connection with APT28&#8217;s attacks exploiting another security flaw in Microsoft Office (CVE-2026-21509, CVSS score: 7.8).<\/p>\n<p>The web infrastructure company said CVE-2026-21513 is rooted in the logic within \u00abieframe.dll\u00bb that handles hyperlink navigation, and that it&#8217;s the result of insufficient validation of the target URL, which allows attacker-controlled input to reach code paths that invoke <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/shellapi\/nf-shellapi-shellexecuteexw\" rel=\"noopener\" target=\"_blank\">ShellExecuteExW<\/a>. This, in turn, enables execution of local or remote resources outside the intended browser security context.<\/p>\n<p>\u00abThis payload involves a specially crafted Windows Shortcut (LNK) that embeds an HTML file immediately after the standard LNK structure,\u00bb security researcher Maor Dahan said. \u00abThe LNK file initiates communication with the domain wellnesscaremed[.]com, which is attributed to APT28 and has been in extensive use for the campaign&#8217;s multistage payloads. The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fs-report-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWQgUDT06NQu9vGMPC7BWROmJABTIWg058l7oGKD-v3ZchC8_66xjbclOE9koChsRf5CEKgqrXTVrne_00PdGokh3brhvF-g33I4FYYpTukrvuNQWXZOVAfon6-2axyRoVJ4uOrXPqRhxfZUaJWEm-K9esUS3ql8VSVWAKLqyfhHLgMSXhkMTkcOtGSX7R\/s728-e100\/fs-report-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Akamai noted that the technique makes it possible for an attacker to bypass Mark-of-the-Web (<a href=\"https:\/\/redcanary.com\/threat-detection-report\/techniques\/mark-of-the-web-bypass\/\" rel=\"noopener\" target=\"_blank\">MotW<\/a>) and Internet Explorer Enhanced Security Configuration (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/customize\/desktop\/unattend\/microsoft-windows-ie-esc\" rel=\"noopener\" target=\"_blank\">IE ESC<\/a>), leading to a downgrade of the security context and ultimately facilitating the execution of malicious code outside of the browser sandbox via <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/shell\/launch\" rel=\"noopener\" target=\"_blank\">ShellExecuteExW<\/a>.<\/p>\n<p>\u00abWhile the observed campaign leverages malicious LNK files, the vulnerable code path can be triggered through any component embedding MSHTML,\u00bb the company added. \u00abTherefore, additional delivery mechanisms beyond LNK-based phishing should be expected.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 02, 2026Vulnerability \/ Threat Intelligence A recently disclosed security flaw patched by Microsoft may have been exploited by the Russia-linked state-sponsored threat actor known as APT28, according to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":123,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[346,112,344,128,347,345,348,343,349],"class_list":["post-122","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-0day","tag-apt28","tag-cve202621513","tag-exploited","tag-feb","tag-mshtml","tag-patch","tag-tied","tag-tuesday"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=122"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/122\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/123"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}