APT28 Deploys PRISMEX Malware Against Ukraine and NATO Allies

Russia's APT28 has deployed a previously undocumented malware suite dubbed PRISMEX against Ukraine and its NATO allies, combining advanced steganography with destructive wiper capabilities that suggest missions beyond pure espionage. The campaign, active since at least September 2025, demonstrates how quickly Russian intelligence can weaponize newly disclosed vulnerabilities.

The PRISMEX Toolkit

PRISMEX consists of four interconnected components, each designed for specific stages of the attack chain:

PrismexSheet — A malicious Excel dropper using VBA macros to extract payloads hidden within image files using steganography. The component establishes persistence through COM object hijacking, a technique that survives reboots by inserting malicious code into Windows component registration.

PrismexDrop — A native Windows dropper that creates scheduled tasks and additional COM DLL hijacking for redundant persistence. If one mechanism is discovered and removed, the other maintains the foothold.

PrismexLoader (PixyNetLoader) — A proxy DLL that extracts .NET payloads from PNG images using a "Bit Plane Round Robin" algorithm. The extracted code executes entirely in memory, leaving minimal forensic artifacts on disk.

PrismexStager — A COVENANT Grunt implant that abuses Filen.io cloud storage for command-and-control. Traffic blends with legitimate business activity, making network-based detection difficult.

For defenders unfamiliar with these techniques, our malware fundamentals guide covers persistence mechanisms and evasion tactics commonly used by nation-state actors.

Rapid Vulnerability Weaponization

The campaign exploits CVE-2026-21509 and CVE-2026-21513, chaining an Office security bypass with an MSHTML/Windows Shortcut flaw to achieve code execution without user interaction beyond opening a document.

What stands out is the timeline. Infrastructure preparation for the campaign was observed on January 12, 2026—exactly two weeks before CVE-2026-21509 was publicly disclosed. APT28 either had advance knowledge of the vulnerability or reverse-engineered Microsoft's patch within hours of release.

We covered APT28's earlier exploitation of CVE-2026-21509 against maritime targets in February. The PRISMEX campaign represents a significant evolution in capability, adding the wiper functionality and more sophisticated delivery mechanisms.

Targets Across Nine Countries

The campaign has hit organizations across Ukraine and NATO member states:

• Ukraine: Central executive bodies, hydrometeorology services, defense ministry, emergency services
• Poland: Rail logistics operators
• Romania, Slovenia, Turkey: Maritime and transportation sectors
• Slovakia, Czech Republic: Logistics support partners involved in ammunition initiatives

The targeting pattern tracks closely with Russian strategic interests in disrupting Western military aid to Ukraine. Transportation and logistics organizations handle sensitive information about weapons shipments, resupply routes, and delivery schedules.

Diplomatic entities round out the target list, though defense and logistics organizations appear to receive priority attention. The geographic focus overlaps significantly with APT28's earlier credential harvesting operations across the Balkans and Central Asia.

Espionage and Sabotage

In at least one incident from October 2025, researchers found that PRISMEX wasn't just collecting data—it was prepared to destroy it. The COVENANT Grunt payload included a destructive wiper command that erases all files under the user profile directory.

This dual capability suggests the malware may serve different purposes depending on operational needs: intelligence gathering during peacetime reconnaissance, and destructive attacks during escalation. The ability to pivot from espionage to sabotage with a single command represents a concerning evolution in Russian cyber operations.

The destructive capability also serves as an anti-forensics measure. If operators believe they've been detected, they can wipe evidence of their presence along with any exfiltrated data that might reveal what intelligence was compromised.

Detection Indicators

Organizations in targeted sectors should monitor for:

1. Outlook registry modifications that weaken security controls or create unexpected forwarding rules
2. Filen.io traffic from Office processes or system binaries—legitimate enterprise use of this service is rare
3. COM object registration changes in HKCU\Software\Classes\CLSID pointing to unfamiliar DLLs
4. PNG files with abnormal entropy in temp directories, which may indicate steganographic payloads

Network defenders should review our earlier coverage of APT28 detection guidance for additional indicators specific to the CVE-2026-21509 exploitation chain.

Why This Matters

PRISMEX represents the maturation of Russia's cyber operations against Ukraine and its supporters. The combination of advanced evasion techniques, rapid vulnerability exploitation, and integrated destructive capability demonstrates significant investment in offensive tooling.

For organizations handling Ukraine-related logistics or defense cooperation, this campaign should prompt immediate review of exposure to the exploited vulnerabilities and implementation of enhanced monitoring for the described techniques.

The campaign also underscores ongoing risks for any organization visible in Russian strategic planning. APT28 has shown it will aggressively target supply chains and support networks, not just direct military or government entities.