HomeWinBuzzer NewsMicrosoft Word Zero-Day Used in Ukraine for Cyberespionage

Microsoft Word Zero-Day Used in Ukraine for Cyberespionage

FireEye, the security firm that uncovered a recent Microsoft Word vulnerability, says the flaw was exploited in January for spying purposes in the Ukraine/Russia conflict.


Earlier in the week, we reported on a previously unknown vulnerability in Word. The flaw could potentially allow hackers to access systems and control files. Security firm FireEye has noted that the vulnerability is now linked with Cyber-spying in the Ukraine/Russia conflict.

FireEye described the original flaw and has since told Microsoft. The company says it will issued a fix as part of April's patch Tuesday yesterday.

However, it seems some attackers have exploited prior to the company finding the gap in security. FireEye says one attack allowed attackers to weaponize a Russian military training manual. The document contained malicious content in the form of FinSpy, a surveillance software used by governments.

FinSpy was created by a Gamma Group subsidiary. The company builds surveillance monitoring equipment. Over thirty governments are believed to use the software.

In its report, FireEye says it is not sure who or what the document was targeting. Although, it was published in the Donetsk People's Republic, a region of the Ukraine under Russian support.

“The initial malicious document downloaded further payloads, including malware and a decoy document from This site was open indexed to allow recovery of additional lure content, including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which claims to be a Russian Ministry of Defense decree approving a forest management plan.”

Microsoft Word Flaw

This vulnerability is deployed when an infected Word document is opened. Because the installed malware is stealthy, it is almost impossible for a regular user to detect it.

The Microsoft Word document is created to look legitimate and passed through an email. It downloads an infection in the form of a malicious HTML application from a server. This is designed to look like a Rich Text document file.

FireEye confirmed the bug affects all versions of Microsoft Word and Office, including Office 2016 and Office 365 for Windows 10.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News