top of page
perceptive_background_267k.jpg

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

Published:

8 april 2026 om 13:50:00

Alert date:

8 april 2026 om 16:01:27

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Zero-Day Vulnerabilities, Data Breach & Exfiltration, Email & Messaging

Russian threat actor APT28 (Forest Blizzard, Pawn Storm) is conducting a spear-phishing campaign targeting Ukraine and NATO allies using previously undocumented PRISMEX malware. The malware suite combines advanced steganography, COM hijacking, and legitimate cloud service abuse for command-and-control operations. This represents an active campaign by a state-sponsored threat group against critical targets including Ukraine and NATO allies during ongoing geopolitical tensions.

Technical details

APT28 deployed PRISMEX malware suite using advanced steganography, COM hijacking, and cloud service abuse for C2. The campaign uses a two-stage attack chain combining CVE-2026-21513 and CVE-2026-21509. PRISMEX components include: PrismexSheet (Excel dropper with VBA macros using steganography), PrismexDrop (native dropper using scheduled tasks and COM DLL hijacking), PrismexLoader (proxy DLL extracting .NET payload from PNG images using Bit Plane Round Robin algorithm), and PrismexStager (COVENANT Grunt implant abusing Filen.io cloud storage). The malware can perform both espionage and destructive operations, including a wiper command that erases files under %USERPROFILE% directory.

Mitigation steps:

Apply Microsoft security patches for CVE-2026-21509 and CVE-2026-21513. Monitor for suspicious LNK files and Excel documents with VBA macros. Watch for COM hijacking activities and scheduled task creation. Monitor access to Filen.io cloud storage for potential C2 communications. Be vigilant for steganographic payloads hidden in PNG images. Implement email security measures to detect spear-phishing campaigns targeting government and NATO-related organizations.

Affected products:

Microsoft Office
Microsoft Windows
Microsoft Outlook
Microsoft Shortcut (LNK) files
MSHTML

Related links:

https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html
https://www.trendmicro.com/en_us/research/26/c/pawn-storm-targets-govt-infra.html
https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html
https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html
https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html
https://thehackernews.com/2025/09/russian-apt28-deploys-notdoor-outlook.html
https://attack.mitre.org/techniques/T1546/015/

Related CVE's:

Related threat actors:

IOC's:

wellnesscaremed[.]com, SplashScreen.png, Filen.io cloud storage service abuse

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page