The Russian menace actor identified as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a recent spear-phishing marketing campaign concentrating on Ukraine and its allies to deploy a beforehand undocumented malware suite codenamed PRISMEX.
“PRISMEX combines superior steganography, element object mannequin (COM) hijacking, and bonafide cloud service abuse for command-and-control,” Pattern Micro researchers Feike Hacquebord and Hiroyuki Kakara stated in a technical report. The marketing campaign is believed to be lively since no less than September 2025.
The exercise has focused varied sectors in Ukraine, together with central govt our bodies, hydrometeorology, protection, and emergency providers, in addition to rail logistics (Poland), maritime and transportation (Romania, Slovenia, Turkey), and logistical help companions concerned in ammunition initiatives (Slovakia, Czech Republic), and army and NATO companions.
The marketing campaign is notable for the fast weaponization of newly disclosed flaws, such as CVE-2026-21509 and CVE-2026-21513, to breach targets of curiosity, with infrastructure preparation noticed on January 12, 2026, precisely two weeks earlier than the previous was publicly disclosed.
In late February 2025, Akamai additionally disclosed that APT28 could have weaponized CVE-2026-21513 as a zero-day based mostly on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, properly earlier than the Home windows maker pushed out a repair as a part of its Patch Tuesday replace on February 10, 2026.
This sample of zero-day exploitation signifies that the menace actor had superior data of the vulnerabilities previous to them being revealed by Microsoft.
An fascinating overlap between campaigns exploiting the 2 vulnerabilities is the area “wellnesscaremed[.]com.” This commonality, mixed with the timing of the 2 exploits, has raised the likelihood that the menace actors are stringing collectively CVE-2026-21513 and CVE-2026-21509 into a classy two-stage assault chain.
“The primary vulnerability (CVE-2026-21509) forces the sufferer’s system to retrieve a malicious .LNK file, which then exploits the second vulnerability (CVE-2026-21513) to bypass security options and execute payloads with out consumer warnings,” Pattern Micro theorized.
The assaults culminate within the deployment of both MiniDoor, an Outlook e-mail stealer, or a group of interconnected malware parts collectively referred to as PRISMEX, so named for using a steganographic method to hide payloads inside picture recordsdata. These embody –
- PrismexSheet, a malicious Excel dropper with VBA macros that extracts payloads embedded throughout the file utilizing steganography, establishes persistence through COM hijacking, and shows a decoy doc associated to drone stock lists and drone costs after macros are enabled.
- PrismexDrop, a local dropper that readies the setting for follow-on exploitation and makes use of scheduled duties and COM DLL hijacking for persistence.
- PrismexLoader (aka PixyNetLoader), a proxy DLL that extracts the next-stage .NET payload scattered throughout a PNG picture’s (“SplashScreen.png”) file construction utilizing a bespoke “Bit Airplane Spherical Robin” algorithm and runs it completely in reminiscence.
- PrismexStager, a COVENANT Grunt implant that abuses Filen.io cloud storage for C2.
It is value mentioning right here that some points of the marketing campaign have been beforehand documented by Zscaler ThreatLabz beneath the moniker Operation Neusploit.
APT28’s use of COVENANT, an open-source command-and-control (C2) framework, was first highlighted by the Laptop Emergency Response Workforce of Ukraine (CERT-UA) in June 2025. PrismexStager is assessed to be an enlargement of MiniDoor and NotDoor (aka GONEPOSTAL), a Microsoft Outlook backdoor deployed by the hacking group in late 2025.
In no less than one incident in October 2025, the COVENANT Grunt payload was discovered to not solely facilitate data gathering, but additionally run a damaging wiper command that erases all recordsdata beneath the “%USERPROFILE%” listing. This twin functionality lends weight to the speculation that these campaigns might be designed for each espionage and sabotage.
“This operation demonstrates that Pawn Storm stays one of the aggressive Russia-aligned intrusion units,” Pattern Micro stated. “The concentrating on sample reveals a strategic intent to compromise the availability chain and operational planning capabilities of Ukraine and its NATO companions.”
“The strategic give attention to concentrating on the availability chains, climate providers, and humanitarian corridors supporting Ukraine represents a shift towards operational disruption that will presage extra damaging actions.”
