The Russian risk actor identified as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a recent spear-phishing marketing campaign focusing on Ukraine and its allies to deploy a beforehand undocumented malware suite codenamed PRISMEX.
“PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control,” Pattern Micro researchers Feike Hacquebord and Hiroyuki Kakara mentioned in a technical report. The marketing campaign is believed to be energetic since no less than September 2025.
The exercise has focused varied sectors in Ukraine, together with central government our bodies, hydrometeorology, protection, and emergency providers, in addition to rail logistics (Poland), maritime and transportation (Romania, Slovenia, Turkey), and logistical assist companions concerned in ammunition initiatives (Slovakia, Czech Republic), and navy and NATO companions.
The marketing campaign is notable for the fast weaponization of newly disclosed flaws, such as CVE-2026-21509 and CVE-2026-21513, to breach targets of curiosity, with infrastructure preparation noticed on January 12, 2026, precisely two weeks earlier than the previous was publicly disclosed.
In late February 2025, Akamai additionally disclosed that APT28 could have weaponized CVE-2026-21513 as a zero-day based mostly on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, nicely earlier than the Home windows maker pushed out a repair as a part of its Patch Tuesday replace on February 10, 2026.
This sample of zero-day exploitation signifies that the risk actor had superior information of the vulnerabilities previous to them being revealed by Microsoft.
An fascinating overlap between campaigns exploiting the 2 vulnerabilities is the area “wellnesscaremed[.]com.” This commonality, mixed with the timing of the 2 exploits, has raised the chance that the risk actors are stringing collectively CVE-2026-21513 and CVE-2026-21509 into a complicated two-stage assault chain.
“The first vulnerability (CVE-2026-21509) forces the victim’s system to retrieve a malicious .LNK file, which then exploits the second vulnerability (CVE-2026-21513) to bypass security features and execute payloads without user warnings,” Pattern Micro theorized.
The assaults culminate within the deployment of both MiniDoor, an Outlook e-mail stealer, or a group of interconnected malware elements collectively often called PRISMEX, so named for the usage of a steganographic approach to hide payloads inside picture recordsdata. These embrace –
- PrismexSheet, a malicious Excel dropper with VBA macros that extracts payloads embedded inside the file utilizing steganography, establishes persistence by way of COM hijacking, and shows a decoy doc associated to drone stock lists and drone costs after macros are enabled.
- PrismexDrop, a local dropper that readies the atmosphere for follow-on exploitation and makes use of scheduled duties and COM DLL hijacking for persistence.
- PrismexLoader (aka PixyNetLoader), a proxy DLL that extracts the next-stage .NET payload scattered throughout a PNG picture’s (“SplashScreen.png”) file construction utilizing a bespoke “Bit Plane Round Robin” algorithm and runs it fully in reminiscence.
- PrismexStager, a COVENANT Grunt implant that abuses Filen.io cloud storage for C2.
It is value mentioning right here that some features of the marketing campaign have been beforehand documented by Zscaler ThreatLabz beneath the moniker Operation Neusploit.
APT28’s use of COVENANT, an open-source command-and-control (C2) framework, was first highlighted by the Pc Emergency Response Crew of Ukraine (CERT-UA) in June 2025. PrismexStager is assessed to be an growth of MiniDoor and NotDoor (aka GONEPOSTAL), a Microsoft Outlook backdoor deployed by the hacking group in late 2025.
In no less than one incident in October 2025, the COVENANT Grunt payload was discovered to not solely facilitate data gathering, but additionally run a damaging wiper command that erases all recordsdata beneath the “%USERPROFILE%” listing. This twin functionality lends weight to the speculation that these campaigns might be designed for each espionage and sabotage.
“This operation demonstrates that Pawn Storm remains one of the most aggressive Russia-aligned intrusion sets,” Pattern Micro mentioned. “The targeting pattern reveals a strategic intent to compromise the supply chain and operational planning capabilities of Ukraine and its NATO partners.”
“The strategic focus on targeting the supply chains, weather services, and humanitarian corridors supporting Ukraine represents a shift toward operational disruption that may presage more destructive activities.”
