APT28 deploys advanced PRISMEX malware in new campaign against Ukraine and NATO allies

Introduction

The Russian state-sponsored threat actor APT28, also tracked as Forest Blizzard and Pawn Storm, has once again emerged with a sophisticated cyber-espionage campaign. A new report from security researchers at Trend Micro details the deployment of a previously undocumented malware suite, codenamed PRISMEX, in a series of spear-phishing attacks aimed at Ukraine and its NATO allies. This operation showcases a significant evolution in the group's tradecraft, combining multiple advanced evasion techniques to compromise high-value targets and exfiltrate sensitive data.

APT28, widely attributed to Russia's Main Intelligence Directorate (GRU), has a long history of conducting intelligence-gathering operations aligned with the Kremlin's strategic interests. This latest campaign, identified in early 2026, continues the group's focus on entities involved in the geopolitical conflict surrounding Ukraine, targeting government, military, and diplomatic organizations to gain a strategic advantage.

Technical breakdown: The PRISMEX infection chain

The initial vector for the PRISMEX campaign is classic APT28: highly targeted spear-phishing emails. These messages are carefully crafted to appear legitimate, often impersonating trusted contacts or organizations to lure victims into opening malicious attachments or clicking compromised links. Once a victim engages with the lure, the multi-stage PRISMEX infection process begins, distinguished by its focus on stealth and persistence.

According to Trend Micro's analysis, PRISMEX employs a triad of advanced techniques designed to bypass modern security controls:

1. Advanced steganography

To deliver its malicious payload without triggering signature-based detection, PRISMEX uses steganography. This age-old technique involves concealing data within other non-secret files. In this campaign, the malware embeds its next-stage components within seemingly innocuous image files (e.g., PNG or JPG). When the initial dropper is executed, it extracts the hidden code from the image file and runs it in memory. This method is effective because antivirus scanners and network gateways often inspect the carrier file (the image) and find it benign, failing to analyze the data hidden within its pixel structure.

2. Component Object Model (COM) hijacking for persistence

For maintaining a long-term foothold on a compromised system, PRISMEX leverages a powerful "living-off-the-land" technique known as COM hijacking. The Component Object Model is a legitimate part of the Windows operating system that allows software components to communicate with each other. By manipulating specific registry keys related to COM objects, PRISMEX can trick the operating system into executing its malicious code whenever a legitimate application or system process calls a hijacked COM object.

This method offers two key advantages for the attackers. First, it doesn't require dropping a new executable file onto the disk, which could be flagged by endpoint protection. Second, the malware's execution is initiated by a trusted process, making it appear as normal system activity and complicating detection by behavior-based security tools like Endpoint Detection and Response (EDR) systems.

3. Legitimate cloud services for command-and-control

Perhaps the most challenging aspect for network defenders is PRISMEX's use of legitimate cloud services for its command-and-control (C2) communications. Instead of connecting to a suspicious, attacker-controlled domain, the malware communicates with popular platforms like Microsoft OneDrive or Google Drive. It can receive new commands from files placed in a specific cloud folder by the attackers and exfiltrate stolen data by uploading it to the same service.

This C2 channel is difficult to block because most organizations permit traffic to major cloud providers for legitimate business purposes. The malicious traffic is encrypted by default (TLS/SSL) and blends in with the vast amount of normal user activity, making it a formidable challenge for network monitoring solutions to distinguish between benign and malicious communications without deep packet inspection and advanced behavioral analytics.

Impact assessment

The PRISMEX campaign represents a direct threat to the national security of Ukraine and its NATO partners. The primary targets are government ministries, military commands, defense contractors, and diplomatic missions—organizations that hold highly sensitive strategic, political, and military intelligence.

A successful compromise could lead to the exfiltration of:

• Military plans, troop movements, and intelligence assessments.
• Confidential diplomatic cables and negotiating positions.
• Sensitive policy documents and government deliberations.
• Proprietary information from defense and technology companies supporting the Ukrainian war effort.

The intelligence gathered through this campaign could provide the Russian government with significant foresight into the strategic planning of Ukraine and its allies, potentially influencing battlefield outcomes and geopolitical negotiations. Beyond espionage, the persistent access established by PRISMEX could be leveraged for future disruptive operations, such as deploying wiper malware or conducting disinformation campaigns.

How to protect yourself

Defending against a sophisticated threat like PRISMEX requires a multi-layered security strategy that addresses each stage of the attack chain. Organizations, especially those in targeted sectors, should prioritize the following actions:

1. Enhance email security: Since spear-phishing is the initial entry point, deploy advanced email security gateways that use sandboxing and machine learning to detect malicious attachments and links. Conduct regular, rigorous phishing awareness training for all employees, teaching them to scrutinize unsolicited emails and report suspicious messages.
2. Strengthen endpoint protection: Traditional antivirus is not enough. Use a modern Endpoint Detection and Response (EDR) solution capable of monitoring process behavior, registry modifications, and script execution. Specifically, configure EDR to monitor for signs of COM hijacking and unusual process chains.
3. Monitor network egress traffic: Scrutinize traffic to cloud services. While blocking them entirely is often not feasible, organizations can use Cloud Access Security Brokers (CASB) and network traffic analysis tools to establish baselines of normal user behavior and alert on anomalies, such as an unusual volume of data being uploaded from a server that doesn't typically access cloud storage. Using a VPN service can also help encrypt traffic, adding a layer of privacy for remote workers.
4. Implement application control: Use application control policies to restrict the execution of unauthorized software. This can help prevent the initial dropper from running even if a user clicks on a malicious link or attachment.
5. Maintain a robust patching program: While this specific campaign relies on evasion over exploitation, APT28 frequently uses known vulnerabilities. Ensure all operating systems, browsers, and third-party applications are patched promptly to reduce the overall attack surface.

The emergence of PRISMEX is a stark reminder that advanced persistent threat groups are continuously refining their tools and techniques. A proactive and defense-in-depth security posture is essential for staying ahead of these evolving threats.