A recent campaign attributed to APT28 highlights an escalation in cyber operations targeting Ukraine and NATO-aligned sectors through the deployment of the PRISMEX malware suite. The campaign leverages rapid weaponization of zero-day vulnerabilities (CVE-2026-21509 and CVE-2026-21513), combining them into a multi-stage attack chain that enables stealthy initial access, persistent footholds, and covert command-and-control.
PRISMEX introduces advanced steganography techniques to conceal payloads within image files, alongside capabilities for both intelligence gathering and destructive operations. The targeting of defense, logistics, and critical infrastructure sectors indicates a broader strategic objective to disrupt supply chains and operational coordination. This underscores the need for accelerated patching, enhanced monitoring, and advanced detection mechanisms.
The campaign utilizes a multi-stage infection chain that combines CVE-2026-21509 and CVE-2026-21513 to establish initial access and execute malicious code with minimal user interaction. The first vulnerability forces the retrieval of a malicious LNK file, while the second bypasses Windows security controls to enable execution.
Initial delivery often involves spear-phishing emails containing weaponized Excel documents (PrismexSheet) embedded with VBA macros. These macros extract payloads hidden through steganography and establish persistence using COM hijacking.
The malware ecosystem includes multiple components such as PrismexDrop for environment preparation, PrismexLoader (PixyNetLoader) for reconstructing encrypted .NET payloads hidden within PNG files, and PrismexStager, a COVENANT-based implant enabling command-and-control via legitimate cloud services such as Filen.io.
The malware operates primarily in memory, leveraging scheduled tasks and DLL hijacking for persistence. It can deploy additional modules such as MiniDoor for email exfiltration or destructive payloads, enabling both espionage and system disruption. The details and technicalities of the attack campaign are discussed further
The campaign primarily relies on targeted spear-phishing emails that impersonate legitimate operational documents such as logistics data or inventory spreadsheets. Victims are encouraged to enable macros, triggering payload execution.
In parallel, attackers exploit CVE-2026-21509 to force systems to retrieve malicious LNK files, reducing reliance on user interaction and increasing infection success rates. The Infection chain was identified as follows
PRISMEX demonstrates advanced evasion, persistence, and modular attack capabilities. A key feature is the use of steganography to conceal malicious payloads within image files, which are later reconstructed in memory using specialized extraction algorithms. This significantly reduces on-disk artifacts and evades traditional detection mechanisms.
Persistence is maintained through COM hijacking, DLL sideloading, and scheduled task execution, ensuring long-term access across system reboots. The malware leverages legitimate cloud platforms such as Filen.io for command-and-control, blending malicious traffic with normal network activity.
The modular architecture supports multiple post-exploitation capabilities including credential harvesting, email exfiltration, system reconnaissance, and lateral movement. Integration with the COVENANT framework enables flexible tasking and supports destructive operations such as file wiping, allowing attackers to transition between espionage and disruption objectives
The activity is attributed to APT28, a state-aligned threat actor known for advanced cyber operations. The campaign builds on previously observed tools such as MiniDoor while integrating modern frameworks like COVENANT for enhanced post-exploitation capabilities.
The rapid weaponization of zero-day vulnerabilities prior to public disclosure suggests access to advanced research capabilities or privileged intelligence, indicating a shift toward more proactive and strategically aligned cyber operations.
The campaign has been active since at least September 2025 and targets a wide range of sectors across multiple regions. Primary targets include Ukrainian government entities, defense organizations, emergency services, and infrastructure-related agencies.
Secondary targeting extends to NATO-aligned countries including Poland, Romania, Slovenia, Turkey, Slovakia, and the Czech Republic, with a focus on logistics, transportation, and supply chain networks. This broad geographic scope reflects coordinated intelligence collection and disruption efforts across allied ecosystems.
The PRISMEX campaign represents a significant advancement in cyber threat capabilities, combining zero-day exploitation, steganography, and cloud-based command-and-control into a cohesive and highly adaptable attack framework.
The dual-use nature of the malware, supporting both intelligence collection and destructive actions, highlights the increasing convergence of espionage and disruption strategies. Organizations must strengthen detection, improve resilience, and adopt proactive defence measures to counter such evolving threats.
The campaign poses substantial risks to confidentiality, integrity, and availability. Organizations may experience sensitive data exfiltration, including defence and logistical intelligence, as well as operational disruption through destructive payloads.
The targeting of supply chains and critical infrastructure amplifies the broader geopolitical impact, potentially affecting coordination, delaying operations, and weakening response capabilities across allied networks.
https://www.trendmicro.com/en_us/research/26/c/pawn-storm-targets-govt-infra.html
