Russian APT28 Deploys 'PRISMEX' Malware in Spear-Phishing Campaign Targeting Ukraine and NATO Nations

Executive Summary

Researchers at Trend Micro have identified a new, sophisticated malware suite named PRISMEX, which is being deployed by the Russian state-sponsored threat actor APT28 (also known as Forest Blizzard and Pawn Storm). The ongoing spear-phishing campaign, active since at least September 2025, is focused on espionage against Ukraine and its NATO allies. Targets include central government bodies, defense organizations, and critical transportation and logistics entities in Ukraine, Poland, Romania, Slovenia, Turkey, Slovakia, and the Czech Republic. The PRISMEX malware is notable for its advanced feature set, which includes the use of steganography to conceal malicious code within image files, Component Object Model (COM) hijacking for persistence, and the abuse of cloud services for command-and-control (C2). The campaign also highlights APT28's agility in weaponizing vulnerabilities, including the potential zero-day exploitation of CVE-2026-21513.

Threat Overview

This campaign is a continuation of APT28's long-standing mission to conduct espionage in support of Russian strategic interests. The primary delivery vector is spear-phishing emails tailored to the target organizations. The goal is to deploy the PRISMEX malware suite, which acts as a versatile toolkit for long-term intelligence gathering. The selection of targets—defense, government, and logistics in countries supporting Ukraine—clearly indicates that the campaign's objective is to gather intelligence on military movements, government policies, and logistical supply chains. The use of advanced evasion techniques suggests that the attackers are targeting mature organizations with established security defenses and are investing significant resources to remain undetected.

Technical Analysis

The PRISMEX malware suite and associated TTPs demonstrate a high level of sophistication:

• Initial Access: The campaign likely begins with spear-phishing containing malicious links or attachments that exploit vulnerabilities like CVE-2026-21509 or CVE-2026-21513 (a Microsoft Shortcut LNK flaw).
• Defense Evasion (Steganography): T1001.002 - Steganography: PRISMEX hides its malicious payloads within seemingly benign image files (e.g., .png, .jpg). The malware downloads these images from a C2 server and then extracts and executes the hidden code. This allows the malicious content to bypass simple network-based content filters.
• Persistence (COM Hijacking): T1546.015 - Component Object Model Hijacking: The malware establishes persistence by hijacking COM objects. It modifies registry keys associated with legitimate COM objects to point to the malicious PRISMEX DLL. When a legitimate application or the OS attempts to use the hijacked COM object, the malware is executed instead.
• Command and Control: T1102 - Web Service: The attackers abuse legitimate cloud services for C2 communication, blending their malicious traffic with normal network activity to evade detection.
• Rapid Vulnerability Weaponization: APT28 demonstrated the ability to quickly operationalize newly disclosed vulnerabilities. They were also observed potentially using CVE-2026-21513 as a zero-day, with an exploit appearing on VirusTotal weeks before Microsoft released a patch.

Impact Assessment

A successful compromise by PRISMEX would grant APT28 a persistent foothold inside highly sensitive government and military-related networks. The potential impact includes:

• Strategic Intelligence Theft: Exfiltration of classified documents, military plans, diplomatic communications, and details on ammunition shipments to Ukraine.
• Disruption of Logistics: Intelligence gathered on rail and maritime logistics could be used to kinetically or digitally disrupt supply chains supporting Ukraine's defense efforts.
• Long-Term Espionage: The stealthy nature of the malware allows for long-term monitoring of target organizations, providing a continuous stream of intelligence to the Russian government.
• Compromise of NATO Security: By targeting multiple NATO members, the campaign poses a direct threat to the security and operational integrity of the alliance.

Cyber Observables for Detection

Detection & Response

Detection:

1. Registry Monitoring: Use an EDR or file integrity monitoring tool to watch for modifications to COM-related registry keys under HKEY_CURRENT_USER\Software\Classes\CLSID and HKEY_CLASSES_ROOT\CLSID. This is the most reliable way to detect the persistence mechanism. D3-SFA - System File Analysis.
2. Network Content Inspection: Where possible, use network security tools capable of deep packet inspection to analyze image files for anomalies that might suggest steganography, although this is technically challenging.
3. Behavioral Analysis: Monitor for processes that load DLLs from unusual file paths after interacting with the registry, which could indicate a successful COM hijack execution.

Response:

• Isolate the compromised host from the network.
• Use forensic tools to examine the registry for hijacked COM keys to identify the malicious DLL.
• Block the C2 domains identified from network or endpoint analysis.
• Re-image the compromised machine, as simply deleting the malware file is insufficient to remove the persistence.

Mitigation

• Patch Management: M1051 - Update Software: Aggressively patch all systems, especially for vulnerabilities known to be used by APT28, such as the Microsoft Shortcut flaw CVE-2026-21513.
• Attack Surface Reduction: Implement ASR rules to block Office applications from creating executable content and to block process creations originating from PsExec and WMI commands, which are common lateral movement techniques for APT28.
• Application Control: M1038 - Execution Prevention: Use application control solutions to prevent the execution of unauthorized DLLs. This can directly block the malicious PRISMEX DLL from being loaded via the COM hijack.
• User Account Control: M1026 - Privileged Account Management: Enforce the principle of least privilege. The COM hijacking technique used by PRISMEX often relies on user-level registry modification, but limiting administrative privileges can prevent more damaging follow-on activity.