Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch

AndyC 3 March 2026

Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch

Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch

Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch

Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch

Pierluigi Paganini
March 02, 2026

Russia-linked APT28 reportedly exploited MSHTML zero-day CVE-2026-21513 before Microsoft patched it, a high-severity bypass flaw.

Akamai reports that Russia-linked APT28 may have exploited CVE-2026-21513 CVSS score of 8.8), a high-severity MSHTML vulnerability (CVSS 8.8), before Microsoft patched it in February 2026.

The vulnerability is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file. The flaw could be triggered by opening a malicious HTML or LNK file, allowing attackers to bypass protections and potentially execute code. While Microsoft shared few details

Microsoft confirmed CVE-2026-21513 was exploited in real-world zero-day attacks and credited MSTIC, MSRC, the Office Security Team, and Google’s GTIG for reporting it. Akamai found a malicious sample uploaded to VirusTotal on January 2026 tied to infrastructure linked to APT28.

Akamai researchers used PatchDiff-AI to analyze the root cause of the issue and traced CVE-2026-21513 to hyperlink navigation logic in ieframe.dll. They found that poor URL validation lets attacker input reach ShellExecuteExW, enabling code execution outside the browser sandbox. Researchers reproduced the flaw using MSHTML components and identified an exploit sample, document.doc.LnK.download, uploaded in January 2026 and linked to APT28 infrastructure.

“By correlating the vulnerable code path with public threat intelligence, we identified a sample that was leveraging this functionality: document.doc.LnK.download.” reads the report published by Akamai. “The sample was first submitted to VirusTotal on January 30, 2026, shortly before February’s Patch Tuesday, and is associated with infrastructure linked to APT28, an active Russian state-sponsored threat actor.”

The payload uses a specially crafted Windows Shortcut (.lnk) that embeds an HTML file directly after the standard LNK structure. When executed, it connects to wellnesscaremed[.]com, a domain attributed to APT28 and widely used in the campaign’s multistage activity. The exploit relies on nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). By downgrading the security context, it triggers the vulnerable navigation flow, allowing attacker-controlled content to invoke ShellExecuteExW and execute code outside the browser sandbox.

“While the observed campaign leverages malicious .LNK files, the vulnerable code path can be triggered through any component embedding MSHTML. Therefore, additional delivery mechanisms beyond LNK-based phishing should be expected.” concludes the report.

Microsoft addressed the issue by tightening hyperlink protocol validation to prevent file://, http://, and https:// links from reaching ShellExecuteExW.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28, CVE-2026-21513)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , , ,

More Stories

APT37 combines cloud storage and USB implants to infiltrate air-gapped systems

APT37 combines cloud storage and USB implants to infiltrate air-gapped systems

AndyC 3 March 2026
Europol’s Project Compass nets 30 arrests in crackdown on “The Com”

Europol’s Project Compass nets 30 arrests in crackdown on “The Com”

AndyC 3 March 2026
ClawJacked flaw exposed OpenClaw users to data theft

ClawJacked flaw exposed OpenClaw users to data theft

AndyC 3 March 2026
Ukrainian hacker pleads guilty to running OnlyFake AI ID scam site

Ukrainian hacker pleads guilty to running OnlyFake AI ID scam site

AndyC 3 March 2026
Weekly Update 493

Weekly Update 493

AndyC 3 March 2026
Claude Code Security: The AI Shockwave Hitting Cybersecurity

The CISO’s Guide to AI Governance: Beyond the Hype

AndyC 2 March 2026

You may have missed

SANDWORM_MODE: The Rise of Adaptive Supply Chain Worms

SANDWORM_MODE: The Rise of Adaptive Supply Chain Worms

AndyC 3 March 2026
Claude Code Security: The AI Shockwave Hitting Cybersecurity

SANDWORM_MODE: The Rise of Adaptive Supply Chain Worms

AndyC 3 March 2026
Researchers warn about ChatGPT’s new health service

Latest OpenClaw Flaw Can Let Malicious Websites Hijack Local AI Agents

AndyC 3 March 2026
OpenAI says its US defense deal is safer than Anthropic’s, but is it?

Windows 11 Insider Previews: What’s in the latest build?

AndyC 3 March 2026
The AI Exchange: Innovators in Payment Security Featuring Checkout.com

The AI Exchange: Innovators in Payment Security Featuring Checkout.com

AndyC 3 March 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.