APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies
APT28 كتنشر مجموعة "PRISMEX" الخبيثة فـ حملة متطورة ضد أوكرانيا وحلف الناتو
APT28 Deploys PRISMEX Malware Suite in Sophisticated Campaign Against Ukraine and NATO
TL;DR
The Russian state-sponsored threat actor APT28 (Forest Blizzard/Pawn Storm) is conducting a spear-phishing campaign using a new malware suite dubbed PRISMEX. The operation targets Ukraine and its NATO allies, weaponizing zero-day vulnerabilities (CVE-2026-21509 and CVE-2026-21513) to deploy payloads designed for both espionage and destructive sabotage.
Overview of the PRISMEX Campaign
A fresh spear-phishing campaign linked to the notorious Russian threat group APT28 has been identified by researchers at Trend Micro. Active since at least September 2025, the campaign introduces a previously undocumented malware suite codenamed PRISMEX.
According to researchers Feike Hacquebord and Hiroyuki Kakara, PRISMEX is a sophisticated toolkit that leverages advanced steganography, Component Object Model (COM) hijacking, and the abuse of legitimate cloud services for command-and-control (C2) operations.
Strategic Targeting: Energy, Logistics, and Defense
The campaign shows a clear strategic focus on disrupting the supply chains and operational planning of Ukraine and its international supporters. Impacted sectors include:
- Ukraine: Central executive bodies, defense, emergency services, hydrometeorology, and weather services.
- Poland: Rail logistics.
- Romania, Slovenia, and Turkey: Maritime and transportation sectors.
- Slovakia and Czech Republic: Logistical support partners involved in ammunition initiatives.
- International: Various military and NATO partners.
Trend Micro suggests that the focus on weather services and humanitarian corridors indicates a shift toward operational disruption that could precede more destructive kinetic or cyber activities.
Weaponizing Zero-Days
A hallmark of this campaign is APT28’s rapid weaponization of newly disclosed vulnerabilities. Evidence suggests the group had advanced knowledge of flaws before they were publicly revealed:
- CVE-2026-21509: Infrastructure for exploitation was observed on January 12, 2026—two weeks before public disclosure.
- CVE-2026-21513: Exploited as a zero-day via a malicious Microsoft Shortcut (LNK) file uploaded to VirusTotal on January 30, 2026, well before Microsoft issued a patch on February 10, 2026.
Researchers believe the actors are "stringing" these vulnerabilities together into a two-stage attack chain. The first flaw forces the system to retrieve a malicious LNK file, which then exploits the second flaw to bypass security warnings and execute payloads silently.
The PRISMEX Malware Suite
The PRISMEX suite uses steganography to conceal payloads within image files, making detection significantly more difficult. The suite consists of several interconnected components:
- PrismexSheet: A malicious Excel dropper using VBA macros. It uses steganography to extract embedded payloads and establishes persistence via COM hijacking. It often displays a decoy document regarding drone inventory and pricing.
- PrismexDrop: A native dropper that prepares the victim's environment and uses scheduled tasks and COM DLL hijacking for persistence.
- PrismexLoader (PixyNetLoader): A proxy DLL that extracts a .NET payload hidden within a PNG file ("SplashScreen.png") using a custom "Bit Plane Round Robin" algorithm. The payload runs entirely in memory.
- PrismexStager: A COVENANT Grunt implant that abuses the Filen.io cloud storage service for its C2 communications.
In addition to PRISMEX, APT28 has also been observed deploying MiniDoor, an Outlook email stealer, and NotDoor (aka GONEPOSTAL), a backdoor first seen in late 2025.
From Espionage to Sabotage
The campaign is not limited to data theft. In October 2025, researchers discovered a COVENANT Grunt payload that included a destructive wiper command designed to erase all files within the %USERPROFILE% directory. This dual capability suggests that APT28 is positioned to pivot from information gathering to active sabotage at any moment.
Conclusion
The emergence of PRISMEX highlights the evolving sophistication of APT28. By combining zero-day exploitation with stealthy steganographic techniques and the abuse of legitimate cloud infrastructure, the group continues to pose a severe threat to European security and Ukrainian defense efforts. As Trend Micro notes, Pawn Storm remains one of the most aggressive Russia-aligned threat actors, with a clear intent to compromise the logistical backbone of NATO's support for Ukraine.
Source: https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html
