Russian APT28 started exploiting URL validation flaw in ieframe.dll (CVE-2026-21513, CVSS 8.8) in January 2026. We have laid out the technical mechanics of an attack chain that bypasses Mark-of-the-Web via LNK files and executes code outside the browser sandbox.
