APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday

Estimated Reading Time: 7 minutes

Key Takeaways:

  • APT28 exploited a high-severity zero-day (CVE-2026-21513) in the MSHTML framework to bypass Windows security mechanisms before official patches were released.
  • A critical vulnerability in Google Chrome’s Gemini AI panel (CVE-2026-0628) allowed browser extensions to hijack system resources and hardware.
  • The CarGurus data breach exposed 12.5 million records following a successful vishing campaign that bypassed traditional MFA.
  • A massive Android security update addressed a Qualcomm display component zero-day (CVE-2026-21385) affecting hundreds of chipsets.
  • Geopolitical shifts have led to the U.S. government phasing out Anthropic’s Claude AI in favor of OpenAI for classified military operations.

Table of Contents:

APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday

Analysis indicates that the Russia-linked state-sponsored threat actor APT28 exploited a high-severity vulnerability in the MSHTML Framework prior to the release of official security updates. This vulnerability, tracked as CVE-2026-21513, represents a security feature bypass with a CVSS score of 8.8. While Microsoft included a fix for this flaw in the February 2026 Patch Tuesday cycle, the vulnerability was actively used as a zero-day in targeted attacks.

Data gathered via a modern cyber threat intelligence platform confirms that the infrastructure utilized in these campaigns aligns with known APT28 tactics, specifically involving the delivery of malicious artifacts designed to bypass standard Windows security mechanisms.

Diagram showing CVE-2026-21513 MSHTML zero-day exploit chain used by APT28

The technical root of CVE-2026-21513 exists within the logic of ieframe.dll, the component responsible for handling hyperlink navigation within the Windows environment. Research from Akamai and Microsoft confirms that the vulnerability stems from insufficient validation of target URLs. This lack of validation allows an attacker to provide controlled input that reaches specific code paths, eventually invoking ShellExecuteExW. By doing so, the attacker can execute resources-either local or remote-outside the security context of the web browser.

The exploitation method observed in the wild involved the use of specially crafted Windows Shortcut (LNK) files. These files contain an embedded HTML structure placed immediately after the standard LNK data. When a user opens the LNK file, it triggers communication with a malicious domain, wellnesscaremed[.]com, which has been linked to previous APT28 campaigns. The exploit utilizes nested iframes and multiple Document Object Model (DOM) contexts to bypass Mark-of-the-Web (MotW) protections and the Internet Explorer Enhanced Security Configuration (IE ESC).

This bypass effectively downgrades the security context of the execution environment, enabling the malicious payload to run outside the browser sandbox.

While current observations focus on LNK-based delivery, the vulnerability affects any component that embeds MSHTML. This suggests that organizations should prepare for diverse delivery mechanisms, including phishing via email attachments or malicious web links. The Computer Emergency Response Team of Ukraine (CERT-UA) also noted that this campaign overlapped with the exploitation of CVE-2026-21509, another Microsoft Office flaw used by the same threat actor.

Chrome Gemini Panel Hijacking: CVE-2026-0628

Concurrent with the MSHTML exploitation, vulnerabilities in integrated browser AI agents have emerged. Researchers identified a high-severity flaw, CVE-2026-0628, in Google Chrome’s Gemini Live feature. This vulnerability allowed browser extensions with standard permissions to hijack the Gemini panel, leading to unauthorized privilege escalation.

The flaw resided in how Chrome handled the declarativeNetRequests API. This API is designed to allow extensions to modify network requests for legitimate purposes, such as ad-blocking. However, it was found that an extension could intercept and modify requests to gemini.google.com specifically when the application was loaded within the side panel component.

Because the Gemini panel is a privileged browser component, code running within its context has access to hardware and system resources usually restricted from standard web pages. A successful exploit of CVE-2026-0628 allowed an attacker to:

  • Activate the device camera and microphone without user notification or consent.
  • Access local files and directories on the host operating system.
  • Capture screenshots of tabs containing sensitive HTTPS data.
  • Inject phishing content directly into the trusted browser UI.

Google released a fix for this issue in early January 2026. This case demonstrates that as browsers integrate more agentic AI features, the attack surface expands to include logical flaws in how these high-privilege components interact with less-privileged extensions.

CarGurus Data Breach: 12.5 Million Records Exposed

The automotive marketplace CarGurus recently suffered a major data exfiltration event impacting 12.5 million users. The breach was orchestrated by threat actors associated with the ShinyHunters group and the Scattered Lapsus$ Hunters collective. The incident involved an extortion attempt followed by the public release of the stolen data.

The compromised information includes:

  • Email addresses and user account ID mappings.
  • Automotive finance pre-qualification application data.
  • Dealer account and subscription details.
  • Names, phone numbers, and physical addresses.
  • IP addresses and outcomes of auto finance applications.

The initial access was gained through sophisticated voice phishing (vishing) campaigns. The attackers targeted employees to obtain single-sign-on (SSO) codes for Okta, Microsoft, and Google services. This method bypassed traditional multi-factor authentication (MFA) by tricking users into providing time-sensitive codes directly to the threat actors. While CarGurus stated that the incident has been contained, the exposure of 12.5 million records necessitates immediate brand leak alerting for affected corporate entities. This event highlights the necessity of dark web monitoring service integration to detect the sale or distribution of stolen credentials and internal documents.

Android and Qualcomm Zero-Day Exploitation

In March 2026, Google released a security update addressing 129 vulnerabilities in the Android operating system, the highest monthly total since 2018. The most critical aspect of this update is the fix for CVE-2026-21385, a high-severity memory corruption vulnerability in a Qualcomm display component.

Qualcomm confirmed that this defect affects 234 different chipsets and is being exploited in limited, targeted attacks. The vulnerability was reported by Google’s Threat Analysis Group in December 2025, but the public disclosure occurred ten weeks later. The update is divided into two patch levels: 2026-03-01 and 2026-03-05. The latter includes the Qualcomm fixes and several kernel-level patches.

Organizations managing mobile fleets must prioritize these updates, as memory corruption flaws in hardware components often allow for remote code execution or complete device takeover. The frequency of such hardware-level zero-days reinforces the need for supply-chain risk monitoring as part of a comprehensive security strategy.

AI Geopolitics: Anthropic, the Pentagon, and OpenAI

A significant shift in the defense sector’s use of artificial intelligence occurred following a directive to phase out the use of Anthropic’s Claude AI. This order followed a breakdown in negotiations where Anthropic refused to remove safeguards preventing the use of its models for autonomous weapons or mass surveillance.

Despite the phase-out order, reports indicate that U.S. Central Command utilized Claude for intelligence assessments, target identification, and battle simulations. Analysts suggest that the timeline for the phase-out is challenging because AI models are deeply embedded in classified defense pipelines. Replacing such systems involves significant costs related to:

  • Sunk integration and retraining expenses.
  • Security re-certifications of new models.
  • Parallel testing to ensure operational parity.

In the wake of Anthropic’s designation as a potential supply-chain risk, OpenAI secured a deal to deploy its models on classified military networks. This transition underscores the challenges of model portability and the political fragility of AI layers within critical infrastructure.

Technical Analysis and Threat Actor Tactics

The recent activities of APT28 and ShinyHunters demonstrate a move toward bypassing established trust boundaries. APT28’s use of ieframe.dll logic flaws shows a deep understanding of legacy Windows components that remain integrated into modern systems. ShinyHunters’ reliance on vishing for SSO codes indicates that human-centric attacks remain the most effective way to circumvent technical controls like MFA.

For engineers, the technical takeaways involve the following:

  • MSHTML Contexts: Even if Internet Explorer is retired, the MSHTML framework persists as a rendering engine for various Windows applications. Security policies must account for LNK and HTML file execution outside of standard browser paths.
  • Extension Permissions: The Gemini vulnerability shows that “basic” extension permissions can be leveraged for lateral movement within the browser if the host application has high privileges.
  • SSO Hardening: Vishing attacks against SSO platforms are increasing. Implementing FIDO2-based hardware security keys can mitigate the risk of code-based phishing.

For business leaders, the focus shifts to data governance and third-party risk. The CarGurus incident shows that data theft is often followed by public shaming and extortion. Organizations must have predefined incident response plans for data leak scenarios.

PurpleOps Expertise in Threat Intelligence and Mitigation

PurpleOps provides the necessary tools and expertise to address the multifaceted threats described in this report. Our focus on high-fidelity data and technical analysis ensures that organizations remain informed of the latest zero-day exploits and threat actor movements.

Cyber Threat Intelligence and Ransomware Defense

Through our cyber-threat-intelligence services, we track groups like APT28 and ShinyHunters across various platforms. This includes telegram threat monitoring to identify campaign planning and underground forum intelligence to monitor the sale of exploited data.

For organizations concerned about the rise in targeted extortion, our protect-ransomware solutions provide real-time ransomware intelligence and access to a live ransomware API. These tools allow for the automated ingestion of Indicators of Compromise (IoCs) and the identification of active ransomware infrastructure before an encryption event occurs.

Vulnerability Management and Penetration Testing

The discovery of zero-days in MSHTML and Android components requires proactive testing. PurpleOps offers specialized penetration-testing and red-team-operations to simulate advanced persistent threat (APT) activities. By mimicking the tactics of actors like APT28, we identify weaknesses in MotW implementation and shell execution policies within your environment.

Monitoring and Detection

Detection of sophisticated breaches requires visibility into the deep and dark web. Our dark-web-monitoring service alerts organizations to leaked credentials and sensitive documents. Combined with breach detection capabilities within our platform, PurpleOps provides a comprehensive view of an organization’s digital footprint.

Furthermore, we assist in managing supply-chain-information-security. This involves supply-chain risk monitoring of third-party vendors and software components, ensuring that vulnerabilities like the Qualcomm display defect are identified and patched promptly across the enterprise.

To learn more about how PurpleOps can secure your organization against advanced threats and zero-day vulnerabilities, visit our services page or contact our team for a detailed consultation.

Frequently Asked Questions

What is CVE-2026-21513 and how does it affect Windows users?
CVE-2026-21513 is a high-severity security feature bypass in the MSHTML framework. It allows attackers to execute local or remote resources outside the browser’s security sandbox by exploiting insufficient URL validation in ieframe.dll.

How did the CarGurus data breach occur?
The breach occurred via a sophisticated voice phishing (vishing) campaign. Attackers tricked employees into providing SSO codes for services like Okta and Google, allowing them to bypass MFA and exfiltrate 12.5 million user records.

What was the risk associated with CVE-2026-0628 in Google Chrome?
This vulnerability allowed browser extensions to hijack the privileged Gemini AI side panel. Attackers could potentially access the device camera, microphone, and local files by exploiting the declarativeNetRequests API.

Which devices are affected by the Qualcomm CVE-2026-21385 vulnerability?
Approximately 234 different Qualcomm chipsets used in various Android devices are affected. This memory corruption flaw in the display component could lead to remote code execution and is being exploited in targeted attacks.

Why is Anthropic being phased out of defense contracts?
The phase-out follows Anthropic’s refusal to remove safeguards that prevent its AI models from being used for autonomous weapons or mass surveillance, leading to it being labeled a supply-chain risk.