APT28’s PRISMEX Malware: A New Cyber Threat to Ukraine and NATO Allies
The Russian cyber-espionage group known as APT28, also referred to as Forest Blizzard and Pawn Storm, has initiated a sophisticated spear-phishing campaign targeting Ukraine and its allies. This operation employs a newly identified malware suite named PRISMEX, which integrates advanced techniques such as steganography, Component Object Model (COM) hijacking, and the exploitation of legitimate cloud services for command-and-control (C2) communications.
According to Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara, PRISMEX has been active since at least September 2025. The campaign has focused on various sectors within Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services. Additionally, it has extended its reach to rail logistics in Poland, maritime and transportation sectors in Romania, Slovenia, and Turkey, as well as logistical support partners involved in ammunition initiatives in Slovakia and the Czech Republic. Military and NATO partners have also been targeted.
Exploitation of Vulnerabilities
A notable aspect of this campaign is APT28’s rapid exploitation of newly disclosed vulnerabilities, specifically CVE-2026-21509 and CVE-2026-21513. Infrastructure preparations for these exploits were observed as early as January 12, 2026, two weeks prior to the public disclosure of CVE-2026-21509. This suggests that APT28 had advanced knowledge of these vulnerabilities, enabling them to deploy zero-day exploits effectively.
In late February 2025, Akamai reported that APT28 may have utilized CVE-2026-21513 as a zero-day exploit. A Microsoft Shortcut (LNK) exploit associated with this vulnerability was uploaded to VirusTotal on January 30, 2026, preceding Microsoft’s release of a patch on February 10, 2026. The overlap in the exploitation of these two vulnerabilities, particularly the use of the domain wellnesscaremed[.]com, indicates a potential two-stage attack chain. Trend Micro theorizes that CVE-2026-21509 compels the victim’s system to retrieve a malicious .LNK file, which then exploits CVE-2026-21513 to bypass security features and execute payloads without user warnings.
Components of PRISMEX
The PRISMEX malware suite comprises several interconnected components designed to evade detection and maintain persistence:
– PrismexSheet: A malicious Excel dropper containing VBA macros that extract payloads embedded within the file using steganography. It establishes persistence through COM hijacking and displays a decoy document related to drone inventory and pricing once macros are enabled.
– PrismexDrop: A native dropper that prepares the environment for further exploitation. It utilizes scheduled tasks and COM DLL hijacking to maintain persistence on the infected system.
– PrismexLoader (also known as PixyNetLoader): A proxy DLL that extracts the next-stage .NET payload concealed within a PNG image (SplashScreen.png) using a custom Bit Plane Round Robin algorithm. This payload is executed entirely in memory, enhancing stealth.
– PrismexStager: A COVENANT Grunt implant that leverages Filen.io cloud storage for C2 communications, allowing the malware to blend malicious traffic with legitimate web activity.
Some aspects of this campaign were previously documented by Zscaler ThreatLabz under the moniker Operation Neusploit.
Strategic Implications
APT28’s use of COVENANT, an open-source C2 framework, was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. PrismexStager is considered an evolution of MiniDoor and NotDoor (also known as GONEPOSTAL), Microsoft Outlook backdoors deployed by the group in late 2025.
In at least one incident in October 2025, the COVENANT Grunt payload facilitated information gathering and executed a destructive wiper command that erased all files under the %USERPROFILE% directory. This dual capability suggests that the campaign may be designed for both espionage and sabotage.
Trend Micro’s analysis indicates that Pawn Storm remains one of the most aggressive Russia-aligned intrusion sets. The targeting pattern reveals a strategic intent to compromise the supply chain and operational planning capabilities of Ukraine and its NATO partners. The focus on targeting supply chains, weather services, and humanitarian corridors supporting Ukraine represents a shift toward operational disruption that may precede more destructive activities.
Conclusion
The deployment of PRISMEX by APT28 underscores the evolving nature of cyber threats faced by Ukraine and its allies. The combination of advanced techniques, rapid exploitation of vulnerabilities, and strategic targeting highlights the need for robust cybersecurity measures and international cooperation to mitigate such threats.
