APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

AndyC 9 April 2026

Ravie LakshmananApr 08, 2026Vulnerability / Cloud Security

The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undo

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

Ravie LakshmananApr 08, 2026Vulnerability / Cloud Security

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX.

“PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control,” Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara said in a technical report. The campaign is believed to be active since at least  September 2025.

The activity has targeted various sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services, as well as rail logistics (Poland), maritime and transportation (Romania, Slovenia, Turkey), and logistical support partners involved in ammunition initiatives (Slovakia, Czech Republic), and military and NATO partners.

The campaign is notable for the rapid weaponization of newly disclosed flaws, such as CVE-2026-21509 and CVE-2026-21513, to breach targets of interest, with infrastructure preparation observed on January 12, 2026, exactly two weeks before the former was publicly disclosed.

In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.

This pattern of zero-day exploitation indicates that the threat actor had advanced knowledge of the vulnerabilities prior to them being revealed by Microsoft.

An interesting overlap between campaigns exploiting the two vulnerabilities is the domain “wellnesscaremed[.]com.” This commonality, combined with the timing of the two exploits, has raised the possibility that the threat actors are stringing together CVE-2026-21513 and CVE-2026-21509 into a sophisticated two-stage attack chain.

“The first vulnerability (CVE-2026-21509) forces the victim’s system to retrieve a malicious .LNK file, which then exploits the second vulnerability (CVE-2026-21513) to bypass security features and execute payloads without user warnings,” Trend Micro theorized.

The attacks culminate in the deployment of either MiniDoor, an Outlook email stealer, or a collection of interconnected malware components collectively known as PRISMEX, so named for the use of a steganographic technique to conceal payloads within image files. These include –

  • PrismexSheet, a malicious Excel dropper with VBA macros that extracts payloads embedded within the file using steganography, establishes persistence via COM hijacking, and displays a decoy document related to drone inventory lists and drone prices after macros are enabled.
  • PrismexDrop, a native dropper that readies the environment for follow-on exploitation and uses scheduled tasks and COM DLL hijacking for persistence.
  • PrismexLoader (aka PixyNetLoader), a proxy DLL that extracts the next-stage .NET payload scattered across a PNG image’s (“SplashScreen.png”) file structure using a bespoke “Bit Plane Round Robin” algorithm and runs it entirely in memory.
  • PrismexStager, a COVENANT Grunt implant that abuses Filen.io cloud storage for C2.

It’s worth mentioning here that some aspects of the campaign were previously documented by Zscaler ThreatLabz under the moniker Operation Neusploit

APT28’s use of COVENANT, an open-source command-and-control (C2) framework, was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. PrismexStager is assessed to be an expansion of MiniDoor and NotDoor (aka GONEPOSTAL), a Microsoft Outlook backdoor deployed by the hacking group in late 2025.

In at least one incident in October 2025, the COVENANT Grunt payload was found to not only facilitate information gathering, but also run a destructive wiper command that erases all files under the “%USERPROFILE%” directory. This dual capability lends weight to the hypothesis that these campaigns could be designed for both espionage and sabotage. 

“This operation demonstrates that Pawn Storm remains one of the most aggressive Russia-aligned intrusion sets,” Trend Micro said. “The targeting pattern reveals a strategic intent to compromise the supply chain and operational planning capabilities of Ukraine and its NATO partners.”

“The strategic focus on targeting the supply chains, weather services, and humanitarian corridors supporting Ukraine represents a shift toward operational disruption that may presage more destructive activities.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

What do you feel about this?

More Stories

New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

AndyC 9 April 2026
Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

AndyC 9 April 2026
Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP)

Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP)

AndyC 9 April 2026
Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems

Anthropic’s Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems

AndyC 9 April 2026
N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

AndyC 9 April 2026
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs

Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs

AndyC 8 April 2026

You may have missed

How do Agentic AIs deliver value to enterprises

How do Agentic AIs deliver value to enterprises

AndyC 9 April 2026
Signature Healthcare hit by cyberattack, services and pharmacies impacted

Signature Healthcare hit by cyberattack, services and pharmacies impacted

AndyC 9 April 2026
What Mythos Reveals About Zero Trust’s Scope Problem

What Mythos Reveals About Zero Trust’s Scope Problem

AndyC 9 April 2026
How do Agentic AIs deliver value to enterprises

Randall Munroe’s XKCD ‘Dental Formulas’

AndyC 9 April 2026
It’s iPhone speculation time: flips, flaps — and Fold

Fighting Eventual Consistency-Based Persistence – An Analysis of notyet

AndyC 9 April 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.