Security researchers have confirmed how a 9.8 severity vulnerability was used in a zero-click cyber attack chain by Russian hackers against Windows users.