.svg){kind=spacer}
April 29, 2026
The article reports that Russia-linked APT28, also known as Fancy Bear and Pawn Storm, is running a spear-phishing campaign against Ukraine and allied organizations using a new malware suite called PRISMEX. Security Affairs says the operation has been active since September 2025 and is aimed at defense systems, military logistics, emergency services, hydrometeorology, and aid infrastructure tied to Ukraine and supporting countries such as Poland, Romania, and Slovakia. The attack chain reportedly begins with lures themed around military training, weather alerts, or weapons smuggling; when a victim opens the attached RTF file, the attackers exploit CVE-2026-21509 to trigger a connection to an attacker-controlled WebDAV server and retrieve a malicious LNK file, which may then use CVE-2026-21513 for further silent execution. The article stresses that Trend Micro believes the timing of domain registrations and exploit samples suggests the group had advance knowledge of vulnerability details before public disclosure.
The piece then focuses on PRISMEX itself, describing it as a modular toolkit built for stealth, persistence, and long-term espionage. Its components include PrismexDrop, PrismexLoader, and PrismexStager, which use COM hijacking, scheduled-task persistence, fileless in-memory execution, and a custom steganographic method called “Bit Plane Round Robin” to hide payloads inside image files. Security Affairs says the final stager abuses the encrypted cloud service Filen.io for command-and-control traffic, helping the malware blend into legitimate web communications and evade detection. The article presents the campaign as more than routine espionage: by targeting drone units, logistics networks, transport flows, and weather-related systems, APT28 is portrayed as seeking both intelligence and the ability to disrupt Ukraine’s defense supply chain and allied support infrastructure.
