APT28 deploys PRISMEX malware in espionage campaign against Ukraine and allies

As reported by Security Affairs, the Russia-linked advanced persistent threat group APT28 has launched a sophisticated spear-phishing campaign targeting Ukraine and its allied nations. This operation, active since September 2025, utilizes a new malware suite named PRISMEX, employing advanced stealth techniques to facilitate espionage and command-and-control activities.The campaign, uncovered by Trend Micro and attributed to APT28 (also known as Fancy Bear and Pawn Storm), exploits newly disclosed vulnerabilities, including CVE-2026-21509 and CVE-2026-21513, to bypass security measures and gain initial access. Spear-phishing emails, themed around military training or aid, deliver malicious RTF files that trigger the exploitation. The PRISMEX malware suite, comprising a dropper, loader, and implant based on the Covenant framework, enables fileless attacks and encrypted command-and-control communications via cloud services like Filen.io. Targets include Ukraine’s defense supply chain, aid infrastructure, and government entities in Central and Eastern Europe, with decoy documents mimicking Ukrainian drone inventories and logistics forms.This campaign signifies an evolution in APT28’s tactics, shifting towards tactical disruption alongside espionage by targeting critical support networks for Ukraine. The use of zero-day exploits, custom steganography, and legitimate cloud services presents significant detection challenges for defenders. Organizations in affected sectors are advised to adopt an “assume breach” mentality and focus on behavioral anomalies to mitigate the risk of long-term access and potential sabotage.Source:Security Affairs