Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
APT28’s New PRISMEX Malware Campaign Targets Ukraine

APT28’s New PRISMEX Malware Campaign Targets Ukraine

Posted on April 8, 2026 By CWS

The Russian cyber espionage group known as APT28, also referred to as Forest Blizzard and Pawn Storm, has launched a sophisticated spear-phishing operation targeting Ukraine and its NATO allies. This campaign marks the deployment of a newly discovered malware suite named PRISMEX, aiming to infiltrate various sectors by exploiting recent vulnerabilities.

Advanced Techniques and Vulnerability Exploitation

PRISMEX employs advanced methods including steganography, Component Object Model (COM) hijacking, and misuse of legitimate cloud services to maintain command-and-control. According to Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara, the campaign has been active since at least September 2025. Key sectors in Ukraine such as central executive bodies, defense, and emergency services, along with transportation and logistics partners in neighboring countries, are among those targeted.

APT28’s strategy involves rapidly exploiting newly disclosed security flaws, notably CVE-2026-21509 and CVE-2026-21513. Infrastructure for these attacks was established on January 12, 2026, preceding the public disclosure of one of the vulnerabilities. This indicates a preemptive approach to vulnerability exploitation.

Insight into APT28’s Zero-Day Exploitation

The use of zero-day vulnerabilities, specifically CVE-2026-21513, was highlighted when Akamai reported on a Microsoft Shortcut (LNK) exploit linked to APT28. This exploit was uploaded to VirusTotal on January 30, 2026, before Microsoft released a patch on February 10, 2026. Such actions suggest that APT28 had prior knowledge of these vulnerabilities, allowing them to craft a sophisticated two-stage attack chain.

The attack sequence involves the initial exploitation of CVE-2026-21509 to deliver a malicious LNK file, which then triggers CVE-2026-21513 to circumvent security features. This results in the deployment of malware like MiniDoor and the PRISMEX suite, which utilizes steganography to hide its payloads within image files.

Components of the PRISMEX Malware Suite

The PRISMEX suite comprises several components, including PrismexSheet, PrismexDrop, PrismexLoader, and PrismexStager. Each plays a role in establishing persistence, executing payloads, and maintaining stealth. PrismexSheet exploits Excel files to conceal payloads, while PrismexLoader uses a unique algorithm to extract further payloads from images. PrismexStager, linked to the COVENANT framework, utilizes cloud storage for command-and-control operations.

Previous analysis by Zscaler ThreatLabz under the name Operation Neusploit has documented some aspects of this campaign. APT28’s use of the COVENANT framework was first reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in mid-2025, indicating the ongoing development and deployment of advanced cyber tools.

Implications and Strategic Shifts

This operation underscores APT28’s aggressive tactics and strategic targeting of supply chains and operational capabilities in Ukraine and NATO. The focus on disrupting infrastructure supporting Ukraine suggests potential for more destructive cyber activities in the future. Trend Micro’s analysis highlights the danger posed by APT28 as they continue to evolve their methods and objectives.

The Hacker News Tags:APT28, cloud abuse, CVE-2026-21509, CVE-2026-21513, cyber attack, Cybersecurity, Malware, NATO, PRISMEX, spear-phishing, stealth techniques, Steganography, Trend Micro, Ukraine

Post navigation

Previous Post: Critical Docker Flaw Allows Unauthorized Host Access
Next Post: OpenSSL Updates Fix Critical Data Leak Flaw

Related Posts

CISA Highlights Exploited Roundcube Vulnerabilities CISA Highlights Exploited Roundcube Vulnerabilities The Hacker News
Critical Telnetd Security Flaw Allows Remote Code Execution Critical Telnetd Security Flaw Allows Remote Code Execution The Hacker News
Supply Chain Attack Targets TanStack and AI Packages Supply Chain Attack Targets TanStack and AI Packages The Hacker News
ZionSiphon Malware Targets Israeli Water Systems ZionSiphon Malware Targets Israeli Water Systems The Hacker News
Automating vCISO and Compliance Services Automating vCISO and Compliance Services The Hacker News
APT28 Exploits MSHTML Vulnerability Before February 2026 Patch APT28 Exploits MSHTML Vulnerability Before February 2026 Patch The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Dormant GitHub Accounts Aid Corporate Reconnaissance
  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Dormant GitHub Accounts Aid Corporate Reconnaissance
  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark