A Russia-linked threat group known as APT28 has launched a new wave of targeted attacks against Ukraine and its international partners, deploying a previously unknown malware framework called PRISMEX.
Security researchers report that the campaign has been active since at least September 2025 and combines multiple advanced techniques, including steganography, COM hijacking, and the abuse of legitimate cloud platforms for command-and-control operations.
Wide Range of Targets
The campaign is not limited to a single sector. Instead, it spans multiple critical areas connected to Ukraine and its allies, including:
- Government agencies and executive bodies
- Defense and emergency services
- Weather and hydrometeorology organizations
- Transportation and logistics networks across Europe
- Military partners and NATO-related entities
This broad targeting suggests a coordinated effort to disrupt both operations and supply chains.
Use of Zero-Day Vulnerabilities
One of the most concerning aspects of the campaign is the rapid use of newly discovered vulnerabilities.
Researchers found evidence that APT28 prepared its attack infrastructure weeks before certain flaws were publicly disclosed. These include vulnerabilities identified as CVE-2026-21509 and CVE-2026-21513.
In some cases, exploit samples were uploaded online before official patches were released, indicating the attackers may have had early or exclusive access to the vulnerabilities.
Multi-Stage Attack Chain
The attack process appears to follow a layered approach:
- A victim system is tricked into retrieving a malicious shortcut (LNK) file
- The file exploits a second vulnerability to bypass security protections
- Malware is executed without raising user alerts
This chaining of vulnerabilities allows attackers to move from initial access to full system compromise with minimal visibility.
Inside the PRISMEX Malware Framework
PRISMEX is not a single piece of malware but a collection of coordinated components, each handling a different stage of the attack.
Key elements include:
- A malicious Excel-based dropper that uses macros and hidden data within the file to extract payloads
- A system loader that prepares the infected environment and maintains persistence
- A memory-based payload loader that retrieves hidden code from image files using advanced techniques
- A staging module that connects to cloud storage services for command-and-control communication
One of the standout features is the use of steganography, where malicious code is concealed inside image files, making detection significantly harder.
Cloud Abuse and Stealth Tactics
Instead of relying on traditional command-and-control servers, the attackers leverage legitimate cloud services to communicate with infected systems. This approach helps them blend in with normal traffic and avoid detection.
Additionally, persistence is achieved through COM hijacking and scheduled tasks, ensuring the malware remains active even after system reboots.
Dual Purpose: Espionage and Disruption
In at least one observed case, the malware not only collected information but also executed destructive commands that wiped user data from infected systems.
This suggests that the campaign is designed for both intelligence gathering and potential sabotage, depending on the target and situation.
Strategic Intent Behind the Campaign
The targeting pattern reveals a clear objective: weaken Ukraine’s operational capabilities and disrupt the networks supporting its defense and logistics.
By focusing on supply chains, transportation, and support systems, the attackers appear to be aiming beyond simple data theft and moving toward broader operational impact.
Final Insight
This campaign highlights how advanced threat groups are combining multiple techniques to stay ahead of defenses. The use of zero-day exploits, hidden payloads, and legitimate infrastructure makes detection increasingly difficult.
For organizations, especially those connected to critical infrastructure or international operations, strengthening vulnerability management and monitoring unusual behavior is more important than ever.