Over 100 million users worldwide
A critical, actively exploited zero-day remote code execution (RCE) vulnerability has been identified in the Apex-Office Suite, a software package used by over 100 million people worldwide. The vulnerability, dubbed 'ShiftScribe' and tracked as CVE-2026-35801, has a CVSS score of 9.6 (Critical). The state-sponsored threat actor Gilded Moth (also known as APT42) is exploiting this flaw in targeted spear-phishing campaigns to deploy a custom backdoor known as Inkwell. The attacks are primarily aimed at government and defense entities in North America and Europe. Developer Apex Software is working on a patch, and CISA has issued an emergency directive due to the active exploitation.
CVE-2026-35801 is a remote code execution vulnerability located in the custom font parsing engine of the Apex-Office Suite. An attacker can exploit this flaw by crafting a malicious document (e.g., .apxdoc) and convincing a user to open it. Upon opening the file, the flawed font parser can be triggered, leading to arbitrary code execution with the privileges of the logged-on user. No further user interaction is required beyond opening the file.
According to Apex Software, the vulnerability affects all versions of the Apex-Office Suite from 2019 through the latest 2026 release. This wide range of affected versions means a very large attack surface, encompassing millions of users across various sectors.
The vulnerability was discovered by security firm Volexity, which observed it being used in the wild. The threat actor, Gilded Moth (APT42), is a sophisticated state-sponsored group known for espionage activities. Their current campaign uses highly targeted spear-phishing emails containing malicious Apex-Office documents. These emails are designed to look like legitimate internal communications, increasing their likelihood of success.
The CISA has added CVE-2026-35801 to its Known Exploited Vulnerabilities (KEV) catalog, confirming its active exploitation and mandating federal agencies to patch within 72 hours of a patch's release.
Successful exploitation of 'ShiftScribe' grants an attacker full control over the victim's system. For the targeted government and defense organizations, this could lead to:
For the broader user base of 100 million, the risk is that other threat actors will reverse-engineer the patch and develop their own exploits, leading to widespread attacks by ransomware groups and other cybercriminals.
The following patterns may help identify vulnerable or compromised systems:
ApexOffice.exeApexOffice.exe spawning suspicious child processes like cmd.exe, powershell.exe, or any unsigned executables.ApexOffice.exe to unknown or suspicious domains/IPs, especially over non-standard ports..ttf, .otf) in temporary directories upon opening documents.ApexOffice.exe. Rules can be created to alert on the spawning of command-line interpreters or network utilities.Network Traffic Analysis.Applying the vendor patch for CVE-2026-35801 is the primary and most effective mitigation.
Using 'Protected View' or other sandboxing features contains the exploit and prevents it from affecting the underlying system.
Training users to identify and report suspicious emails and attachments can prevent the initial execution of the malicious file.
Endpoint security solutions that block suspicious process chains (e.g., office app spawning a shell) can prevent the payload from running.
The highest priority action is to deploy the security patch for CVE-2026-35801 from Apex Software immediately upon its release. Given its status as an actively exploited zero-day in the CISA KEV catalog, this should be treated as an emergency change. Organizations should use automated software deployment tools to ensure the patch reaches all endpoints running any version of Apex-Office Suite from 2019-2026. Verification scans should be run post-deployment to confirm all systems are patched and no vulnerable instances remain.
As a temporary mitigation until a patch can be deployed, enable 'Protected View' in Apex-Office Suite. This feature acts as a form of dynamic analysis or sandboxing, opening documents from untrusted sources in a restricted environment. This prevents the malicious code within the document's font parser from executing and compromising the host system. Security teams should enforce this setting via Group Policy or other configuration management tools across the enterprise to ensure consistent application. This directly addresses the exploitation vector by containing the malicious file's behavior.
Configure EDR and security monitoring tools to detect and alert on anomalous process creation events originating from ApexOffice.exe. Specifically, create rules that trigger when ApexOffice.exe spawns child processes such as 'cmd.exe', 'powershell.exe', 'wscript.exe', or 'cscript.exe'. In the context of the 'ShiftScribe' exploit, this would detect the post-exploitation stage where the malware attempts to execute commands or download the 'Inkwell' backdoor. This provides a critical detection layer that can catch the exploit even if the initial file opening is not blocked.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.