APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

Trend Micro’s latest report reveals that APT28 has refined its intrusion playbook by integrating two freshly disclosed vulnerabilities—CVE‑2026‑21509 and CVE‑2026‑21513—into a coordinated two‑stage attack chain. The first flaw forces a victim to download a malicious shortcut file, which then triggers the second exploit to bypass security controls and execute hidden code. By leveraging these zero‑days weeks before public disclosure, the group demonstrates advanced procurement capabilities and a willingness to operate ahead of traditional patch cycles, heightening the urgency for rapid vulnerability management in affected sectors.

PRISMEX, the newly identified malware suite, combines sophisticated evasion techniques with modular payload delivery. Its components—PrismexSheet, PrismexDrop, PrismexLoader, and PrismexStager—use steganographic embedding of .NET binaries within PNG images, COM object hijacking for persistence, and scheduled‑task creation to maintain footholds. The loader extracts payloads in memory, while the Stager communicates through Filen.io, an innocuous cloud storage service, masking command‑and‑control traffic. This blend of legitimate cloud abuse and open‑source COVENANT framework underscores the group’s adaptability and the growing challenge of detecting file‑less, cloud‑mediated attacks.

Strategically, the targeting of Ukraine’s executive bodies, weather services, rail logistics, and NATO‑linked partners signals a shift from pure espionage toward operational disruption. By compromising supply‑chain nodes and humanitarian corridors, APT28 can impair decision‑making and potentially trigger destructive actions, as evidenced by a wiper payload that erased user profiles in an October 2025 incident. For defenders, the lesson is clear: continuous monitoring of zero‑day exploitation, hardened email gateways, and vigilant cloud‑traffic analysis are essential to mitigate the expanding threat surface posed by state‑sponsored actors.