Translated from the original Japanese article
Tech 3 min read

APT28 exploits MSHTML zero-day CVE-2026-21513, left unchecked until February patch

Security Windows APT28 MSHTML CVE
IkesanContents

It has been revealed that CVE-2026-21513, one of the vulnerabilities patched in Patch Tuesday in February 2026, was actually being used by the Russian state-backed group APT28 even before the patch was patched. CVSS 8.8 is classified as a security feature bypass, but it essentially allows code to run outside the browser sandbox.

what was happening

According to an investigation by Microsoft Threat Intelligence Center (MSTIC) and Google Threat Intelligence Group (GTIG), APT28 uploaded the exploit payload to VirusTotal on January 30, 2026. This is ahead of the February patch release. Around the same time, CERT-UK also reported a related attack (linked to CVE-2026-21509).

The vulnerability exists in hyperlink processing within ieframe.dll. Insufficient validation of the target URL allows attacker-controlled input to reach the code path that calls ShellExecuteExW. As a result, local or remote resources run outside the browser’s security context.

Technical mechanism

MSHTML is a rendering engine derived from Internet Explorer and is still embedded in many applications on Windows. The problem with this flaw is that it can be triggered by any component that hosts MSHTML.

APT28’s attack chain looks like this:

  • Deliver Windows shortcut (LNK) files. HTML file is embedded immediately after the LNK structure
  • When opened, URL validation is bypassed via ieframe.dll and ShellExecuteExW is called.
  • Manipulate trust boundaries using nested iframes and multiple DOM contexts
  • Bypasses both Mark-of-the-Web (MotW) and IE Enhanced Security Configuration (IE ESC)

The C2 infrastructure uses wellnesscaremed[.]com, and this domain has been identified as APT28’s infrastructure. The delivery route is via email or link, and the condition is that the user opens the LNK file.

What does MotW bypass mean?

Mark-of-the-Web is zone information that is added to downloaded files so that a warning is displayed when opening a file obtained from the Internet. The fact that this attack can bypass this means that normal defense measures such as “don’t open files downloaded from unknown sources” will no longer work. Additionally, IE ESC is also bypassed, thereby disabling any additional layers of protection set up in a corporate environment.

correspondence

Fixed in February 2026 Patch Tuesday (KB5077181). This vulnerability does not affect environments where Windows Update has been applied.

However, KB5077181 itself causes other problems. There are a wide variety of reports including dxgmms2.sys BSOD, boot loop, network interruption due to DHCP failure, Bluetooth connection loss, and game frame rate drop of 30-50% with certain GPU configurations. Since it’s a security patch, I can’t afford not to apply it, but if I do, it might break for another reason, which is a constant dilemma. If the patch becomes unstable after applying the patch, see Windows Central report.

Endpoints that mistakenly believe LNK files signed with outdated certificates are safe, and Windows environments that have not been patched, remain targets. APT28 is known to target government, military, and diplomatic institutions of countries supporting NATO and Ukraine, and this attack is likely to have been a targeted attack in that context.

The Microsoft Threat Intelligence Center, Microsoft Security Response Center, Office Product Group Security Team, and Google Threat Intelligence Group are involved in the discovery and analysis of vulnerabilities.