APT28's PRISMEX Malware Targets Ukraine & NATO Supply Chains

Cyber Threat Intelligence is reporting a significant escalation in state-backed cyber operations with the emergence of PRISMEX malware, deployed by the Russian-linked APT28 group. This new campaign isn’t just about espionage; it’s a calculated move to disrupt critical infrastructure and logistics supporting Ukraine and NATO allies. The targets span Ukrainian government agencies, defense units, and emergency services, while also extending to the logistics and transportation sectors in Poland, Romania, Turkey, and other European nations. The primary objective appears to be weakening the supply chains vital for Ukraine’s defense efforts.

What’s particularly concerning is APT28’s use of zero-day exploits, specifically referencing CVE-2026-21509 and CVE-2026-21513, before patches were available. This indicates advanced reconnaissance capabilities and likely insider knowledge or sophisticated exploit acquisition. The attack vector begins with a malicious shortcut file, which then triggers a secondary exploit designed to bypass security controls and execute the PRISMEX payload silently and without user interaction. This two-stage approach allows for swift and covert initial compromise.

PRISMEX itself employs advanced evasion techniques to remain undetected. Cyber Threat Intelligence highlights its use of steganography to embed payloads within image files, executing them directly in memory rather than writing them to disk. This in-memory execution significantly hampers traditional file-based detection methods. Furthermore, the malware establishes persistence through COM hijacking and scheduled tasks, and utilizes legitimate cloud services for command-and-control (C2) communications, making C2 traffic harder to distinguish from normal network activity.