State-Sponsored Hackers Exploit 'ShiftScribe' Zero-Day (CVE-2026-35801) in Apex-Office Suite

Actively Exploited 'ShiftScribe' Zero-Day in Apex-Office Suite Puts Millions at Risk

CRITICAL
July 1, 2026
5m read
VulnerabilityThreat ActorCyberattack

Impact Scope

People Affected

Over 100 million users worldwide

Industries Affected

GovernmentDefense

Geographic Impact

North AmericaEurope (global)

Related Entities

Threat Actors

Gilded MothAPT42

Organizations

Apex SoftwareVolexityCISA

Products & Tech

Apex-Office Suite

Other

Inkwell

CVE Identifiers

CVE-2026-35801
CRITICAL
CVSS:9.6

Full Report

Executive Summary

A critical, actively exploited zero-day remote code execution (RCE) vulnerability has been identified in the Apex-Office Suite, a software package used by over 100 million people worldwide. The vulnerability, dubbed 'ShiftScribe' and tracked as CVE-2026-35801, has a CVSS score of 9.6 (Critical). The state-sponsored threat actor Gilded Moth (also known as APT42) is exploiting this flaw in targeted spear-phishing campaigns to deploy a custom backdoor known as Inkwell. The attacks are primarily aimed at government and defense entities in North America and Europe. Developer Apex Software is working on a patch, and CISA has issued an emergency directive due to the active exploitation.


Vulnerability Details

CVE-2026-35801 is a remote code execution vulnerability located in the custom font parsing engine of the Apex-Office Suite. An attacker can exploit this flaw by crafting a malicious document (e.g., .apxdoc) and convincing a user to open it. Upon opening the file, the flawed font parser can be triggered, leading to arbitrary code execution with the privileges of the logged-on user. No further user interaction is required beyond opening the file.

  • Vulnerability Type: RCE in font parsing engine.
  • Attack Vector: Malicious document delivered via spear-phishing.
  • User Interaction: Required (user must open the file).
  • Authentication: Not required.

Affected Systems

According to Apex Software, the vulnerability affects all versions of the Apex-Office Suite from 2019 through the latest 2026 release. This wide range of affected versions means a very large attack surface, encompassing millions of users across various sectors.

Exploitation Status

The vulnerability was discovered by security firm Volexity, which observed it being used in the wild. The threat actor, Gilded Moth (APT42), is a sophisticated state-sponsored group known for espionage activities. Their current campaign uses highly targeted spear-phishing emails containing malicious Apex-Office documents. These emails are designed to look like legitimate internal communications, increasing their likelihood of success.

The CISA has added CVE-2026-35801 to its Known Exploited Vulnerabilities (KEV) catalog, confirming its active exploitation and mandating federal agencies to patch within 72 hours of a patch's release.

Impact Assessment

Successful exploitation of 'ShiftScribe' grants an attacker full control over the victim's system. For the targeted government and defense organizations, this could lead to:

  • Espionage: Theft of classified or sensitive national security information.
  • Persistence: The Inkwell backdoor allows the attacker to maintain long-term access to the compromised network.
  • Lateral Movement: From the initial compromised host, attackers can move through the network to target other high-value systems.
  • Data Integrity and Destruction: Attackers could potentially alter or delete critical data.

For the broader user base of 100 million, the risk is that other threat actors will reverse-engineer the patch and develop their own exploits, leading to widespread attacks by ransomware groups and other cybercriminals.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
Process Name
Value
ApexOffice.exe
Description
Look for ApexOffice.exe spawning suspicious child processes like cmd.exe, powershell.exe, or any unsigned executables.
Type
Network Traffic
Value
Unusual outbound C2 traffic
Description
Monitor for network connections from ApexOffice.exe to unknown or suspicious domains/IPs, especially over non-standard ports.
Type
File System
Value
Suspicious font files
Description
Monitor for the creation of unusual font files (.ttf, .otf) in temporary directories upon opening documents.
Type
Log Source
Value
EDR/Endpoint Logs
Description
Hunt for process chains where an office application spawns a command shell which then makes a network connection.

Detection Methods

  • Endpoint Detection (EDR): EDR solutions should be configured to monitor for suspicious process chains originating from ApexOffice.exe. Rules can be created to alert on the spawning of command-line interpreters or network utilities.
  • Network Intrusion Detection Systems (NIDS): While the initial payload is encrypted in email, NIDS can be used to detect the C2 communication of the Inkwell backdoor. Look for periodic, beacon-like traffic to untrusted domains. Use D3FEND's Network Traffic Analysis.
  • Email Security Gateway: While the current spear-phishing may bypass some checks, enhance email filtering to scrutinize attachments, especially from external sources. Implement policies to warn users about opening documents from untrusted senders.

Remediation Steps

  1. Apply Patch (When Available): The most important step is to apply the security patch from Apex Software as soon as it is released. Given the CISA directive, this should be treated as an emergency change.
  2. Temporary Mitigation: Apex Software has advised users to enable 'Protected View' mode for all documents from untrusted sources. This feature opens documents in a sandboxed environment, which can prevent the exploit from executing. This is a critical temporary measure until a patch is available.
  3. User Awareness: Inform users about this threat. Advise them to be extremely cautious about opening unsolicited documents, even if they appear to be from a known or internal source. Reinforce the importance of verifying the sender before opening attachments.
  4. Threat Hunting: Proactively hunt for signs of compromise using the observables and detection methods described above, especially in high-risk environments like government and defense.

Timeline of Events

1
July 1, 2026
This article was published

MITRE ATT&CK Mitigations

Applying the vendor patch for CVE-2026-35801 is the primary and most effective mitigation.

Using 'Protected View' or other sandboxing features contains the exploit and prevents it from affecting the underlying system.

Training users to identify and report suspicious emails and attachments can prevent the initial execution of the malicious file.

Endpoint security solutions that block suspicious process chains (e.g., office app spawning a shell) can prevent the payload from running.

D3FEND Defensive Countermeasures

The highest priority action is to deploy the security patch for CVE-2026-35801 from Apex Software immediately upon its release. Given its status as an actively exploited zero-day in the CISA KEV catalog, this should be treated as an emergency change. Organizations should use automated software deployment tools to ensure the patch reaches all endpoints running any version of Apex-Office Suite from 2019-2026. Verification scans should be run post-deployment to confirm all systems are patched and no vulnerable instances remain.

As a temporary mitigation until a patch can be deployed, enable 'Protected View' in Apex-Office Suite. This feature acts as a form of dynamic analysis or sandboxing, opening documents from untrusted sources in a restricted environment. This prevents the malicious code within the document's font parser from executing and compromising the host system. Security teams should enforce this setting via Group Policy or other configuration management tools across the enterprise to ensure consistent application. This directly addresses the exploitation vector by containing the malicious file's behavior.

Configure EDR and security monitoring tools to detect and alert on anomalous process creation events originating from ApexOffice.exe. Specifically, create rules that trigger when ApexOffice.exe spawns child processes such as 'cmd.exe', 'powershell.exe', 'wscript.exe', or 'cscript.exe'. In the context of the 'ShiftScribe' exploit, this would detect the post-exploitation stage where the malware attempts to execute commands or download the 'Inkwell' backdoor. This provides a critical detection layer that can catch the exploit even if the initial file opening is not blocked.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

zero-dayrceaptespionagespear-phishingvulnerabilitycisa kev

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.