CVE-2026-21509: A Zero-Click Office Exploit, a Pakistani Government Server, and the Shadow of Fancy Bear
TL;DR: A weaponized Word document exploiting CVE-2026-21509 -- a zero-click vulnerability in Microsoft Office OLE object handling -- uses a procurement lure themed around Pakistan's Sindh Integrated Emergency and Health Services to deliver a ClickOnce payload hosted on compromised Pakistani government infrastructure. The C2 sits on sbis[.]psca[.]gop[.]pk, a legitimate subdomain of the Punjab Safe City Authority. The document was authored on a machine named "MALDEV01" by a user called "WarMachine" using WPS Office with an English-India locale. This sample is one of 21 CVE-2026-21509 exploits on MalwareBazaar, seven of which are explicitly attributed to APT28 (Fancy Bear) targeting Ukraine. Our sample diverges -- South Asian targeting, WPS Office tooling, en-IN locale -- raising the question of whether this is APT28 expanding geographically, a shared exploit builder circulating among state-level actors, or a distinct South Asian APT leveraging the same zero-day.
The Document That Doesn't Need Macros
Forget everything you know about malicious Word documents requiring macros. CVE-2026-21509 does not need them.
The exploit works through OLE ObjectPool manipulation. The document contains an ObjectPool storage with a child entry _1234567890. Inside that entry, a CONTENTS stream holds a Shell Link (.LNK) binary -- 496 bytes, starting with the LNK magic 4C 00 00 00. The LNK contains an Internet Explorer IDLIST structure that redirects to an attacker-controlled HTTPS URL hosting a ClickOnce .application deployment.
No VBA. No user prompt beyond opening the document. When combined with Outlook's preview pane, this approaches zero-click territory.
The exploit chain is elegant in its simplicity:
[Spear-phishing email]
|
[SIEHS Document.doc opened in Word]
|
[CVE-2026-21509: OLE ObjectPool parsed]
|
[Embedded LNK Shell Link in CONTENTS stream]
|
[IE IDLIST resolves to ClickOnce URL via HTTPS]
|
[https://sbis[.]psca[.]gop[.]pk/css/PDF-READER/PDF%20Viewer.application]
|
[ClickOnce .application deployment downloaded and executed]
|
[Second-stage payload (PDF Viewer disguise)]
The victim sees what looks like a procurement document about ambulance surveillance systems. Behind the scenes, the OLE parser has already fetched a ClickOnce deployment disguised as a "PDF Viewer" from a Pakistani government domain.
What Was Found vs. What Was Known
| Aspect | Prior Reporting | Our Findings |
|---|---|---|
| CVE-2026-21509 exploitation | 21 samples on MalwareBazaar, primarily Ukraine-focused | South Asian variant targeting Pakistani organizations |
| APT28 attribution | 7/21 samples explicitly tagged APT28 | This sample diverges: WPS Office tooling, en-IN locale, South Asian lure |
| C2 infrastructure | Various, mostly attacker-controlled domains | Compromised legitimate Pakistani government infrastructure (PSCA) |
| Detection rate | Varies across cluster | 2/63 on VirusTotal -- near-invisible to AV |
| Author metadata | Not widely reported for this cluster | MALDEV01 (author), WarMachine (last saved by) |
| Tooling | Unknown for most samples | WPS Office 12.2.0.23196 with English-India locale (ID 16393) |
| HoodyHyena overlap | Separate report on Russian vehicle inspection RTF | Same CVE, different lure themes, possible shared builder |
The Lure: Ambulance Surveillance in Sindh
The social engineering is well-crafted. The document impersonates official communication about the "Purchase of Ambulance Surveillance System" for the Sindh Integrated Emergency and Health Services:
Please open the attached document below to read the key instructions for Purchase of Ambulance Surveillance system. Sindh Integrated Emergency and Health Services, I have highlighted major key points.. Your review is highly required.
The document contains embedded PNG images totaling roughly 312KB, rendering what appears to be official procurement documentation. Anyone working in Pakistani government procurement or emergency services would have every reason to open this.
Living Off the Government: Compromised PSCA Infrastructure
This is where the operation gets sophisticated. The ClickOnce payload is not hosted on some sketchy bulletproof hosting IP. It lives on sbis[.]psca[.]gop[.]pk -- a legitimate subdomain of the Punjab Safe City Authority, a Pakistani government entity.
| Field | Value |
|---|---|
| C2 URL | https://sbis[.]psca[.]gop[.]pk/css/PDF-READER/PDF%20Viewer.application |
| Domain | sbis[.]psca[.]gop[.]pk |
| IP Address | 103[.]119[.]125[.]125 |
| ASN | AS138019 |
| Organization | Punjab Safe City Authority (PSCA) |
| Country | Pakistan (Lahore, Punjab) |
| TLS Issuer | Starfield Secure Certificate Authority - G2 (wildcard *.psca.gop.pk) |
| Cert Renewed | 2026-02-27 |
| VT IP Detections | 0/94 (clean) |
The payload is buried under /css/PDF-READER/ -- a path that looks like a legitimate CSS directory to anyone doing a cursory review. The VirusTotal reputation score for the IP is spotless at 0/94 because it is a legitimate government server.
The certificate was renewed on February 27, 2026 -- just two weeks before our sample appeared. The document was created February 12 and last saved February 18. The timeline fits: the actor compromised PSCA infrastructure sometime in late February, then weaponized the lure document in the following days.
Using compromised government infrastructure for C2 gives the attacker four advantages simultaneously: URL reputation filter bypass, existing TLS certificate leverage, increased victim trust, and takedown complexity. You cannot just call a hosting provider and request a takedown -- this is government-owned infrastructure that requires inter-agency coordination.
The MALDEV01 / WarMachine Signatures
The document metadata reads like a calling card:
| Metadata Field | Value | Significance |
|---|---|---|
| Author | MALDEV01 | Dedicated malware development machine naming convention |
| Last Saved By | WarMachine | Operator alias or username on the build system |
| Application | WPS Office 12.2.0.23196 | Common in South/Southeast Asian APT tooling |
| Locale ID | 16393 (en-IN) | English-India locale -- strongly suggests South Asian origin |
| Code Page | 1200 (Unicode UTF-16) | Standard for multilingual documents |
| Created | 2026-02-12 06:17:00 UTC | Build timestamp |
| Last Saved | 2026-02-18 12:16:56 UTC | Final weaponization |
"MALDEV01" is not a name someone uses for their personal laptop. It is a naming convention for a dedicated malware development workstation -- the kind of naming you see in organized operations where machines are numbered and purpose-assigned. "WarMachine" is the operator's chosen handle.
The WPS Office footprint is telling. WPS Office has significant market share in China and South Asia but is relatively uncommon in Russian-speaking threat actor toolchains. Combined with the en-IN locale, this points firmly at South Asian origin or, at minimum, a South Asian build environment.
The APT28 Question: Shared Exploit or Shared Builder?
Here is the problem. CVE-2026-21509 is being actively exploited by APT28 (Fancy Bear) to target Ukraine. Seven of the 21 samples in MalwareBazaar's CVE-2026-21509 cluster carry explicit APT28 tags. The Ukrainian-targeting samples use lures like "Consultation Topics Ukraine (Final).doc" and interview questions. A separate sample tagged HoodyHyena uses a Russian vehicle inspection RTF.
Our sample does not fit that pattern at all. The targeting is South Asian. The tooling is WPS Office. The locale is English-India. The lure theme is Pakistani government procurement.
Three scenarios present themselves:
- APT28 geographic expansion -- Fancy Bear is broadening its targeting to South Asia using the same exploit but different lures
- Shared exploit builder -- The CVE-2026-21509 exploit generator is circulating among multiple state-level actors, each customizing lures for their own targets
- Distinct South Asian APT -- A separate threat group independently weaponized the same vulnerability
The metadata differences (WPS Office vs. likely Microsoft Office for APT28 samples, en-IN locale, South Asian lure content) make scenario 3 the most probable, with scenario 2 as a plausible alternative. A shared exploit builder would explain why the same OLE/LNK technique appears across geographically and thematically diverse campaigns.
Sandbox Evasion: The 2/63 Problem
| Vendor | Verdict | Notes |
|---|---|---|
| DocGuard | Malicious | Legacy Office File detection |
| ReversingLabs | 3/36 (8.33%) | First seen 2026-03-02 |
| Zenbox | Clean (99% confidence) | Sandbox evasion likely |
| ANY.RUN | No threats detected | Sandbox evasion |
| Triage | Score 1/10 | Minimal behavioral flags |
| VirusTotal | 2/63 | Near-invisible |
Two out of sixty-three antivirus engines. That is a 3.2% detection rate. The exploit's reliance on OLE object parsing rather than VBA macros means traditional document analysis tools largely miss it. Sandboxes report the document as clean because the exploit requires specific OLE rendering behavior that automated analysis environments do not always trigger.
This is a weaponized document that will sail through most email gateways undetected.
Detection Guidance
YARA Rules
Five rules covering:
- Generic CVE-2026-21509 OLE + LNK + ClickOnce pattern
- SIEHS-specific lure detection
- PSCA C2 domain detection
- MALDEV/WarMachine author fingerprinting
- Generic embedded LNK with IE IDLIST pattern
The critical detection signal is the combination of an OLE ObjectPool containing a Shell Link binary with an Internet Explorer IDLIST structure. The YARA rule OLE_LNK_InternetExplorer_IDLIST_Suspicious by researcher node5 already flags this pattern on MalwareBazaar.
Network Detection
Monitor for:
- DNS queries to
sbis[.]psca[.]gop[.]pk - HTTPS connections to
103[.]119[.]125[.]125 - URI paths containing
/css/PDF-READER/combined with.applicationfile downloads - ClickOnce deployment downloads from government domains
Endpoint Detection
- Hunt for ClickOnce deployment artifacts in
%LOCALAPPDATA%\Apps\2.0\ - Search email logs for "SIEHS Document.doc" or "Ambulance Surveillance" attachments
- Monitor for
AddClipboardFormatListenerandSetWindowsHookExAPI calls from WINWORD.EXE (behavioral indicators from Triage sandbox)
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | Weaponized .doc via email |
| Execution | Exploitation for Client Execution | T1203 | CVE-2026-21509 OLE exploit |
| Execution | User Execution: Malicious File | T1204.002 | Document open triggers exploit |
| Defense Evasion | Signed Binary Proxy Execution | T1218 | ClickOnce deployment (trusted .NET mechanism) |
| Defense Evasion | Obfuscated Files or Information | T1027 | OLE-embedded LNK with IE IDLIST indirection |
| Resource Development | Compromise Infrastructure | T1584.004 | Compromised PSCA government server for hosting |
Timeline
| Date | Event | Source |
|---|---|---|
| 2026-02-12 | Document created (MALDEV01) | OLE metadata |
| 2026-02-18 | Document last saved (WarMachine) | OLE metadata |
| 2026-02-27 | PSCA wildcard TLS certificate renewed | crt.sh |
| 2026-03-02 | Sample first seen by ReversingLabs | RL first_seen |
| 2026-03-11 | Sample submitted to MalwareBazaar | MB first_seen |
| 2026-03-11 | Analysis completed by Breakglass Intelligence | This report |
Indicators of Compromise
File Indicators
# CVE-2026-21509 Exploit Document
SHA256: 8e53683133e7e1ddd1d8728b6ba8b9b80ec40f6772422c8adc8002bafe553f7b
SHA1: 3f4852ef07988b870b68e16c802b6e2b256e0b72
MD5: 90c59e9620a8da4e56a7f61fd188d908
File: SIEHS Document.doc
Network Indicators
# C2 URL (defanged)
hxxps://sbis[.]psca[.]gop[.]pk/css/PDF-READER/PDF%20Viewer.application
# C2 Domain
sbis[.]psca[.]gop[.]pk
# C2 IP (compromised government infrastructure)
103[.]119[.]125[.]125
# ASN
AS138019 (Punjab Safe City Authority)
Metadata Indicators
# Author fingerprints
Author: MALDEV01
Last Saved By: WarMachine
Locale ID: 16393 (en-IN)
Application: WPS Office 12.2.0.23196
# YARA signature
OLE_LNK_InternetExplorer_IDLIST_Suspicious (by node5)
Recommended Actions
Immediate (24-48 hours)
- Block
sbis[.]psca[.]gop[.]pkat DNS and proxy level - Block
103[.]119[.]125[.]125at perimeter firewalls - Deploy YARA rules to email gateways and EDR platforms
- Hunt for the SHA-256 hash across all endpoints
- Search email logs for "SIEHS Document.doc" or "Ambulance Surveillance" attachments
Short-Term (1-2 weeks)
- Notify Punjab Safe City Authority of the compromise via
kashif[.]aftab@psca[.]gop[.]pk - Search for ClickOnce deployment artifacts in
%LOCALAPPDATA%\Apps\2.0\ - Monitor MalwareBazaar for additional CVE-2026-21509 samples
- Patch Microsoft Office against CVE-2026-21509 when available
Medium-Term (1-3 months)
- Disable OLE object embedding in Office documents via Group Policy
- Block ClickOnce deployments from untrusted sources
- Implement attachment sandboxing for .doc and .rtf files
- Track the MALDEV01/WarMachine operator across future samples
Published by Breakglass Intelligence. Investigation conducted 2026-03-11. A zero-click exploit. A compromised government server. A 2/63 detection rate. And a connection to the most prolific exploit cluster of Q1 2026. Classification: TLP:CLEAR