.svg){kind=spacer}
May 12, 2026
The article reports that APT28, the Russian state-linked group also known as Forest Blizzard and Pawn Storm, has been running a spear-phishing campaign against Ukraine and allied countries to deploy a newly identified malware suite called PRISMEX. According to The Hacker News, the operation has been active since at least September 2025 and has targeted Ukrainian government bodies, hydrometeorology, defense, emergency services, and a wider ring of logistics, maritime, transport, and military-related organizations in countries including Poland, Romania, Slovenia, Turkey, Slovakia, and the Czech Republic. The piece highlights the attackers’ rapid weaponization of newly disclosed vulnerabilities, especially CVE-2026-21509 and CVE-2026-21513, with evidence suggesting infrastructure was prepared even before public disclosure. Trend Micro researchers quoted in the article say the two flaws may be chained together so that one forces a victim system to retrieve a malicious LNK file and the second helps bypass security prompts to execute malware.
The second half of the article focuses on PRISMEX as a modular and stealth-oriented malware framework. Its components include PrismexSheet, an Excel-based dropper using VBA macros and steganography; PrismexDrop, which prepares the victim environment and establishes persistence; PrismexLoader, which reconstructs a hidden .NET payload from a PNG image using a custom “Bit Plane Round Robin” method and runs it in memory; and PrismexStager, a COVENANT Grunt implant that uses the cloud service Filen.io for command-and-control. The article says some incidents instead ended with MiniDoor, an Outlook email stealer, and notes that at least one October 2025 case included a destructive wiper command that erased files in the user profile directory. The broader conclusion is that this is not just a conventional espionage campaign: by targeting supply chains, weather services, transport networks, and humanitarian support channels linked to Ukraine, APT28 appears to be seeking both intelligence and the ability to disrupt operational planning across Ukraine and its NATO partners.
Source: https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html
