APT28 Deploys New PRISMEX Malware Targeting Ukraine and NATO Allies
Russia’s APT28 has unleashed PRISMEX, a sophisticated new malware suite, in spear-phishing attacks against Ukrainian defense and NATO supply chains. Using steganography, cloud abuse and fileless techniques, the campaign threatens critical logistics and operational planning.
PRISMEX malware has surfaced as one of the most advanced tools in Russia’s cyber arsenal. Security researchers from Trend Micro have linked the modular suite directly to APT28, also known as Pawn Storm or Fancy Bear, in an active espionage campaign.
The threat actor is leveraging spear-phishing emails that deliver a malicious Excel dropper named PrismexSheet. This file uses VBA macros and steganography to hide and extract additional payloads, allowing initial access without triggering traditional antivirus alerts.
Strategic Targets Across Ukraine and NATO Partners
Attackers are focusing on high-value entities supporting Ukraine’s defense efforts and NATO logistics. Compromised sectors include central government bodies, hydrometeorology services, defense ministries and emergency response units in Ukraine.
International targets extend to rail logistics in Poland, maritime and transportation operators in Romania, Slovenia and Turkey, plus ammunition supply partners in Slovakia and the Czech Republic.
- Ukraine central executive bodies and defense infrastructure
- Polish rail logistics networks
- Maritime and transport entities in Romania, Slovenia and Turkey
- Logistics partners supplying ammunition to Ukraine in Slovakia and Czech Republic
- NATO military and operational planning units
How PRISMEX Malware Works
Once inside the network, PRISMEX employs COM hijacking by modifying InProcServer32 registry values to load a malicious DLL named adwapi64.dll. The suite also abuses legitimate cloud services for command-and-control communication, making detection extremely difficult.
The malware includes a dropper, loader and a staging backdoor built on the open-source Covenant framework. Fileless execution and email-based backdoors further enhance its stealth and persistence.
Technical Components and Evasion Techniques
- Steganography inside Excel documents to embed payloads
- COM hijacking for automatic DLL loading
- Cloud service abuse for covert C2 channels
- Modular architecture based on Covenant C2 framework
- Exploitation of recent vulnerabilities including CVE-2026-21509 and CVE-2026-21513
Critical Market Analysis: Impacts on Cybersecurity and Defense Supply Chains
This campaign exposes a dangerous reality for global businesses. Over-reliance on Microsoft Office macros and public cloud platforms in defense logistics creates exploitable weak points that nation-state actors are now weaponizing at scale.
Companies in transportation, manufacturing and critical infrastructure face rising insurance premiums and potential multimillion-dollar breach costs. The incident should accelerate adoption of zero-trust architectures, AI-powered endpoint detection and response platforms, and strict macro-blocking policies. Failure to invest now could translate into lost contracts, regulatory fines and eroded investor confidence in an already volatile geopolitical environment.
Organizations must treat supply-chain cyber risk as a board-level priority rather than an IT issue. The APT28 PRISMEX operation proves that even indirect partners to NATO operations are now primary targets.
