Back to News
Cyber Attack

APT28 Deploys PRISMEX Malware Using Zero-Day Flaws Against Ukraine and NATO

CyberSecurityWaala 3 days ago Apr 8, 2026
APT28 Deploys PRISMEX Malware Using Zero-Day Flaws Against Ukraine and NATO

A prolific Russia-aligned group tracked as APT28 has launched a new campaign that targets Ukraine and allied supply chains. Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara reported the activity and named the malware suite PRISMEX.

What researchers found

Trend Micro said PRISMEX blends advanced steganography, Component Object Model hijacking, and abuse of legitimate cloud services for command and control. “PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control,” the researchers wrote.

The campaign has been active since at least September 2025, Trend Micro added. The group targeted Ukrainian government and defense bodies, hydrometeorology services, and emergency services. The activity also reached logistics and transport partners in Poland, Romania, Slovenia, Slovakia, the Czech Republic, and Turkey.

How the attack chain works

Researchers at Trend Micro and Akamai outlined a multistage chain that begins with spear-phishing messages. The lure often uses realistic themes. Examples include hydrometeorological warnings and military training invites. Recipients are encouraged to open RTF documents that trigger exploitation.

Trend Micro analyzed two Windows flaws tied to the campaign: CVE-2026-21509 and CVE-2026-21513. They reported that infrastructure preparation for CVE-2026-21509 began on January 12, 2026, two weeks before public disclosure. Akamai researchers said an exploit for CVE-2026-21513 appeared on VirusTotal on January 30, 2026, and that Microsoft did not patch the issue until February 10, 2026. Akamai noted the timing indicates in-the-wild zero-day exploitation.

The likely delivery chain forces a victim to fetch a malicious .LNK file via a WebDAV server, then uses the LNK to trigger MSHTML logic to execute payloads without user prompts. Akamai reported that related exploit samples communicated with a domain used across campaigns, suggesting a possible two-stage linkage.

PRISMEX components

  • PrismexSheet is an Excel dropper with VBA macros. Trend Micro found it embeds payloads inside the workbook using steganography and creates persistence via COM hijacking.
  • PrismexDrop is a native dropper that prepares disk artifacts, schedules tasks, and registers proxy DLLs for persistence, Trend Micro said.
  • PrismexLoader is a proxy DLL that reconstructs a .NET payload from a PNG image. Trend Micro described a bespoke Bit Plane Round Robin algorithm that scatters bits across the image.
  • PrismexStager is a Covenant Grunt stage that abuses the Filen.io cloud storage service for C2, according to Trend Micro.

Trend Micro noted the Bit Plane Round Robin method matches code from a previous Pawn Storm campaign in 2025, which helps link the activity to the same developer unit.

Broader context and prior reporting

CERT-UA first highlighted APT28 use of the Covenant framework in mid-2025, and Zscaler ThreatLabz documented related activity under Operation Neusploit. Trend Micro said the new PRISMEX work appears to expand a set of Outlook-focused backdoors known as MiniDoor and NotDoor. Zscaler and CERT-UA provided complementary reporting, Trend Micro added.

Akamai connected the CVE-2026-21513 exploit sample to infrastructure used by the CVE-2026-21509 campaign. Akamai said that correlation points to rapid weaponization of newly disclosed flaws by the threat actor.

Why defenders should care

Trend Micro warned that the campaign mixes espionage and potential sabotage. “This operation demonstrates that Pawn Storm remains one of the most aggressive Russia-aligned intrusion sets,” the company said. The researchers said they observed a Covenant Grunt instance that had both data-collection tasks and a destructive wiper command that erased user profile files in one incident.

Defenders should prioritize patching both CVE-2026-21509 and CVE-2026-21513. Trend Micro and Akamai recommend blocking non-essential cloud storage services at the perimeter, restricting macros from internet-sourced Office files, and auditing HKCU SoftwareClasses CLSID entries for suspicious COM object paths.

In addition, monitoring for in-memory CLR hosting inside trusted native processes such as explorer.exe, and enabling detailed ETW and .NET runtime logging, will help detect loaders that never touch disk, Trend Micro advised.

Reporting on this campaign is ongoing. Trend Micro, Akamai, CERT-UA, and Zscaler continue to publish indicators of compromise and hunting guidance as they investigate.

#cybersecurity #APT28 #PRISMEX #zero-day #malware #threatintelligence