Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Apt28's Operation Prismex: The Sophisticated Russian Espionage Campaign Targeting Ukraine and NATO Allies


Apt28's Operation Prismex: The Sophisticated Russian Espionage Campaign Targeting Ukraine and NATO Allies

In this in-depth article, we explore the details of APT28's Operation Prismex, a complex spear-phishing campaign targeting Ukraine and its allies. Learn how APT28 has utilized zero-day exploits and developed a previously undocumented malware suite known as PRISMEX to compromise supply chains and disrupt operations.

  • A new spear-phishing campaign, Operation Prismex, has been launched by Russian threat actor APT28 (Forest Blizzard and Pawn Storm) targeting Ukraine and its allies.
  • The campaign is believed to have started in September 2025 and has used newly disclosed zero-day exploits, including CVE-2026-21509 and CVE-2026-21513.
  • A previously undocumented malware suite, PRISMEX, has been discovered, combining advanced steganography, COM hijacking, and legitimate cloud service abuse for command-and-control.
  • The attacks have deployed various malware components, including MiniDoor, an Outlook email stealer, and a collection of interconnected malware components known as PRISMEX.
  • APT28 has also been using the COVENANT framework, which was first highlighted by Ukrainian CERT-UA in June 2025, to facilitate espionage and sabotage.
  • The targeting pattern suggests a strategic intent to compromise supply chain and operational planning capabilities of Ukraine and its NATO partners.



    • Cybersecurity experts have been sounding the alarm bells regarding a new, highly sophisticated spear-phishing campaign launched by the notorious Russian threat actor APT28 (also known as Forest Blizzard and Pawn Storm). This latest operation, dubbed Operation Prismex, has been found to be linked to a fresh wave of attacks targeting Ukraine and its allies, with the ultimate goal of deploying a previously undocumented malware suite. In this article, we will delve into the details of this complex campaign, highlighting the tactics employed by APT28 and the implications for global cybersecurity.

    The campaign is believed to have been active since at least September 2025, with various sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services, being targeted. Additionally, rail logistics (Poland), maritime and transportation (Romania, Slovenia, Turkey), and logistical support partners involved in ammunition initiatives (Slovakia, Czech Republic), as well as military and NATO partners, have also been targeted by the threat actors.

    What sets this campaign apart from previous attacks is the rapid weaponization of newly disclosed flaws, such as CVE-2026-21509 and CVE-2026-21513. These vulnerabilities were identified in a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.

    The use of these zero-day exploits indicates that APT28 had advanced knowledge of the vulnerabilities prior to them being revealed by Microsoft. This pattern of zero-day exploitation suggests that the threat actor had access to sensitive information and was able to exploit this before the vulnerabilities were publicly disclosed.

    Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara have been analyzing the campaign, which has led to the discovery of a previously undocumented malware suite codenamed PRISMEX. This suite combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control.

    The attacks culminate in the deployment of either MiniDoor, an Outlook email stealer, or a collection of interconnected malware components collectively known as PRISMEX. These include PrismexSheet, a malicious Excel dropper with VBA macros that extracts payloads embedded within the file using steganography; Prismedrop, a native dropper that readies the environment for follow-on exploitation and uses scheduled tasks and COM DLL hijacking for persistence; PrismexLoader (aka PixyNetLoader), a proxy DLL that extracts the next-stage .NET payload scattered across a PNG image's ("SplashScreen.png") file structure using a bespoke "Bit Plane Round Robin" algorithm and runs it entirely in memory; and PrismaStager, a COVENANT Grunt implant that abuses Filen.io cloud storage for C2.

    Furthermore, APT28 has been utilizing the COVENANT framework, which was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. PrismexStager is assessed to be an expansion of MiniDoor and NotDoor (aka GONEPOSTAL), a Microsoft Outlook backdoor deployed by the hacking group in late 2025.

    In at least one incident, the COVENANT Grunt payload was found to not only facilitate information gathering but also run a destructive wiper command that erases all files under the "%USERPROFILE%" directory. This dual capability lends weight to the hypothesis that these campaigns could be designed for both espionage and sabotage.

    The targeting pattern of APT28 reveals a strategic intent to compromise the supply chain and operational planning capabilities of Ukraine and its NATO partners. The attacks have also been observed targeting weather services and humanitarian corridors supporting Ukraine, which represents a shift toward operational disruption that may presage more destructive activities.

    In conclusion, the Operation Prismex campaign highlights the sophistication and determination of APT28 in its pursuit of espionage and sabotage. As the threat landscape continues to evolve, it is essential for cybersecurity professionals to stay vigilant and keep pace with the latest threats and trends.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Apt28s-Operation-Prismex-The-Sophisticated-Russian-Espionage-Campaign-Targeting-Ukraine-and-NATO-Allies-ehn.shtml

  • https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html

  • https://www.youtube.com/watch?v=TRk-e3n6Zng

  • https://nvd.nist.gov/vuln/detail/CVE-2026-21509

  • https://www.cvedetails.com/cve/CVE-2026-21509/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-21513

  • https://www.cvedetails.com/cve/CVE-2026-21513/

  • https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html

  • https://www.malwarebytes.com/blog/news/2026/04/russian-state-sponsored-hackers-hijack-home-and-small-office-routers-for-espionage

  • https://cyberscoop.com/forest-blizzard-apt28-routers-espionage-campaign-operation-masquerade/

  • https://www.trendmicro.com/en/research/26/c/pawn-storm-targets-govt-infra.html

  • https://www.darkreading.com/vulnerabilities-threats/apt-group-pawn-storm-ratchets-up-attacks

  • https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html

  • https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit

  • https://thehackernews.com/2025/09/russian-apt28-deploys-notdoor-outlook.html

  • https://cyberwebspider.com/the-hacker-news/russian-apt28-deploys-notdoor-outlook-backdoor-against-companies-in-nato-countries/


    • Published: Wed Apr 8 11:45:58 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us