The Russian threat actor known as APT28 (also known as Forest Blizzard and Pawn Storm) is said to be involved in a new spear-phishing campaign targeting Ukraine and its allies, introducing a previously undocumented malware suite codenamed PRISMEX.
“PRISMEX combines advanced steganography, Component Object Model (COM) hijacking, and legitimate cloud service exploitation for command and control,” Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara said in a technical report. This campaign is believed to have been active since at least September 2025.
The operation targets various sectors of Ukraine, including central administration, hydrometeorology, defense and emergency services, as well as railway logistics (Poland), maritime and transport (Romania, Slovenia, Turkey), logistics partners involved in ammunition programs (Slovakia, Czech Republic), military and NATO partners.
This campaign is notable for rapidly weaponizing newly revealed flaws, such as CVE-2026-21509 and CVE-2026-21513, to compromise targets of interest. The preparation of the infrastructure was observed on January 12, 2026, just two weeks before the former was opened to the public.
Additionally, in late February 2025, Akamai announced that APT28 had detected CVE-2026-21513 as a zero-day attack based on the Microsoft Shortcuts (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, long before the Windows manufacturer published a fix as part of the February 10, 2026 Patch Tuesday update. It has become clear that there is a possibility that it has been weaponized.
This pattern of zero-day exploitation indicates that the attackers had advanced knowledge of the vulnerability before it was disclosed by Microsoft.
An interesting overlap between the campaigns exploiting the two vulnerabilities is the domain ‘wellnesscaremed’.[.]This commonality, combined with the timing of the two exploits, raises the possibility that attackers are combining CVE-2026-21513 and CVE-2026-21509 into a sophisticated two-step attack chain.
“The first vulnerability (CVE-2026-21509) forces the victim’s system to retrieve a malicious .LNK file, which is then exploited by the second vulnerability (CVE-2026-21513) to bypass security features and execute the payload without user warning,” Trend Micro theorizes.
The attack culminates in the deployment of a collection of interconnected malware components known collectively as MiniDoor, an Outlook email stealer, or PRISMEX, named for its use of steganography techniques to hide payloads within image files. These include –
PrismexSheet is a malicious Excel dropper with a VBA macro that uses steganography to extract an embedded payload within the file, establish persistence through COM hijacking, and display a decoy document related to a drone inventory list and drone prices after the macro is enabled. PrismexDrop is a native dropper that prepares the environment for subsequent exploitation and uses scheduled tasks and COM DLL hijacking for persistence. PrismexLoader (also known as PixyNetLoader) is a proxy DLL that uses a custom-built “bit plane round robin” algorithm to extract next-stage .NET payloads scattered throughout a PNG image (“SplashScreen.png”) file structure and executes entirely in memory. PrismexStager, a COVENANT Grunt implant that exploits C2’s Filen.io cloud storage.
It’s worth mentioning here that some aspects of this campaign were previously documented by Zscaler ThreatLabz under the name Operation Neusploit.
APT28’s use of COVENANT, an open source command and control (C2) framework, was first noted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. PrismexStager is assessed to be an extension of MiniDoor and NotDoor (also known as GONEPOSTAL), Microsoft Outlook backdoors deployed by the hacking group in late 2025.
In at least one incident in October 2025, the COVENANT Grunt payload was found to not only facilitate information collection but also execute a destructive wiper command that erased all files under the “%USERPROFILE%” directory. This dual functionality lends weight to the hypothesis that these campaigns may be designed for both espionage and sabotage purposes.
“This operation demonstrates that Pawn Storm remains one of the most aggressive Russian-aligned intrusion sets,” Trend Micro said. “This targeting pattern reveals a strategic intent to compromise the supply chain and operational planning capabilities of Ukraine and its NATO partners.”
“The strategic focus on targeting supply chains, weather services, and humanitarian corridors supporting Ukraine represents a shift toward operational disruption that portends more destructive activities.”
Source link
