On 26 January 2026, Microsoft disclosed the actively exploited vulnerability CVE-2026-21509 in Microsoft Office, and within days weaponized DOC files appeared in public and via phishing campaigns targeting Ukrainian and EU government entities, using lures related to Ukraine and EU COREPER meetings; opening the documents triggers a WebDAV-based infection chain that downloads an LNK file, deploys a malicious DLL through COM hijacking and explorer.exe restart, executes shellcode hidden in an image, and ultimately launches the COVENANT command-and-control framework, which leverages the legitimate Filen cloud infrastructure, indicating a coordinated campaign likely to expand rapidly due to delayed patching and limited adoption of mitigations.

https://cert.gov.ua/article/6287250