APT28's PRISMEX Malware Targets NATO Supply Chains

Russia's APT28 has been running a sophisticated espionage campaign against Ukraine and NATO logistics partners since September 2025, deploying a new malware suite called PRISMEX that combines steganography, memory-only execution, and cloud-based command-and-control. Security researchers tracking the campaign found evidence the attackers had zero-day access to Microsoft vulnerabilities weeks before public disclosure.

The campaign targeted entities directly involved in military supply chains—Ukrainian defense and emergency services, Polish rail logistics, Romanian and Slovenian maritime transport, and ammunition suppliers in Slovakia and the Czech Republic. The targeting pattern makes clear this wasn't opportunistic scanning. APT28 wanted visibility into how weapons and supplies reach Ukrainian forces.

The PRISMEX Malware Suite

PRISMEX consists of four interlocking components that security researchers tracked across multiple intrusions:

PrismexSheet serves as the initial delivery mechanism—malicious Excel files with VBA macros that extract hidden payloads using steganography. The decoy documents displayed realistic Ukrainian drone inventories, supplier pricing sheets, and military logistics forms to appear legitimate to recipients.

PrismexDrop handles persistence through COM DLL hijacking and scheduled tasks. Once the dropper establishes a foothold, it decrypts and deploys the loader component while evading detection.

PrismexLoader (also called PixyNetLoader) uses a custom "Bit Plane Round Robin" algorithm to extract .NET payloads hidden within PNG images. The entire execution happens in memory, leaving minimal forensic artifacts on disk. This technique has become increasingly common in APT operations as defenders improve their detection of traditional file-based persistence.

PrismexStager provides command-and-control through the COVENANT Grunt implant framework, abusing Filen.io cloud storage to blend C2 traffic with legitimate file-sharing activity.

This modular architecture mirrors tactics we've seen in other APT28 operations targeting Eastern European entities earlier this year.

Zero-Day Exploitation Confirmed

The campaign weaponized two Microsoft vulnerabilities—and the timeline proves APT28 had exploit code before either was publicly known.

CVE-2026-21509 forces retrieval of malicious .LNK files from attacker-controlled WebDAV servers. Security researchers found APT28 registered infrastructure for this attack on January 12, 2026—exactly two weeks before Microsoft publicly disclosed the vulnerability on January 26.

CVE-2026-21513 bypasses security features that normally prevent untrusted files from executing without user interaction. A sample exploiting this flaw appeared on VirusTotal on January 30, 2026—eleven days before Microsoft released patches on February 10. Combined, these flaws let APT28 achieve code execution without any warning dialogs or user confirmation.

This pattern of pre-disclosure infrastructure setup echoes what Akamai documented in their research on the Windows Shell NTLM theft vulnerability where APT28 similarly exploited Microsoft products before patches were available.

Not Just Espionage

In at least one October 2025 incident, researchers found the COVENANT Grunt payload included a destructive wiper command that erased all files under the user profile directory. This dual capability—espionage when stealth matters, destruction when it doesn't—suggests APT28 has operational flexibility to shift from intelligence collection to sabotage depending on strategic requirements.

The wiper capability lends weight to concerns that these campaigns aren't purely about understanding NATO logistics. If Russia decides to disrupt supply chains rather than just monitor them, the access already exists.

Who's at Risk

The primary targets were organizations supporting Ukrainian military operations:

• Ukrainian central executive bodies, defense ministry, emergency services
• Hydrometeorology services (weather data supports military planning)
• Polish rail operators (primary route for Western military aid)
• Romanian and Turkish maritime and transportation entities
• Slovak and Czech ammunition suppliers

Secondary targeting included any organization with visibility into NATO logistics planning or military industrial supply chains. Defense contractors, shipping companies, and government agencies coordinating aid delivery should assume they're targets.

What Organizations Should Do

1. Apply February 2026 patches for CVE-2026-21509 and CVE-2026-21513 immediately
2. Block outbound WebDAV connections to untrusted domains
3. Monitor for COM hijacking persistence mechanisms in registry keys
4. Inspect Filen.io traffic for unexpected patterns that might indicate C2 activity
5. Hunt for steganography by analyzing PNG files in email attachments for anomalous data patterns

Organizations unfamiliar with advanced persistent threat tactics should review our social engineering guide to understand how initial access typically begins with convincing phishing lures like the military logistics documents PRISMEX used.

Why This Matters

APT28—also known as Fancy Bear, Forest Blizzard, Pawn Storm, and Sofacy—is Unit 26165 of Russia's GRU military intelligence. Their operations directly support Russian strategic objectives, and targeting NATO logistics networks signals an intent to understand or disrupt Western support for Ukraine.

The confirmed zero-day exploitation demonstrates APT28's access to vulnerability research capabilities or exploit markets that provide weapons-grade code before defenders can patch. Organizations in the defense industrial base can't rely solely on patching—they need detection capabilities for post-compromise activity and assume sophisticated adversaries will sometimes get in.

For context on Russian cyber operations and their evolution over the past decade, our cybersecurity books page includes several titles covering Sandworm and GRU operations that provide historical perspective on campaigns like PRISMEX.