A new cyber espionage operation linked to Russia’s state-backed group APT28, also known as Forest Blizzard and Pawn Storm, has been uncovered targeting Ukraine and its allied nations. The campaign delivers a newly identified malware framework called PRISMEX through highly targeted spear-phishing attacks.
Security researchers from Trend Micro revealed that the campaign has been active since at least September 2025 and combines advanced techniques to evade detection and maintain long-term access.
Broad Targeting Across Strategic Sectors
The operation has focused on critical sectors across multiple countries. In Ukraine, targeted entities include government institutions, defense agencies, hydrometeorology services, and emergency response units.
Beyond Ukraine, the campaign has also affected:
- Rail logistics operations in Poland
- Maritime and transportation sectors in Romania, Slovenia, and Turkey
- Ammunition supply chain partners in Slovakia and the Czech Republic
- Military and NATO-affiliated organizations
This wide targeting scope suggests a strategic effort to disrupt operational planning and supply chains supporting Ukraine.
Rapid Exploitation of Newly Disclosed Vulnerabilities
A key characteristic of this campaign is the rapid weaponization of newly disclosed vulnerabilities, including CVE-2026-21509 and CVE-2026-21513.
Evidence indicates that attackers began preparing infrastructure for exploitation even before these vulnerabilities were publicly disclosed. In some cases, the group may have used these flaws as zero-days, demonstrating advanced intelligence capabilities.
Researchers believe the vulnerabilities were combined into a two-stage attack chain. The first flaw forces systems to retrieve a malicious shortcut file, which then leverages the second vulnerability to bypass security protections and execute malicious code without user interaction.
PRISMEX Malware Framework and Components
The campaign culminates in the deployment of either a data-stealing tool or a modular malware framework known as PRISMEX. This framework uses steganography to hide malicious payloads within image files, making detection significantly more difficult.
Key components of PRISMEX include:
- PrismexSheet: A malicious Excel file containing macros that extract hidden payloads and display decoy documents related to drone inventories
- PrismexDrop: A dropper that prepares the system for further exploitation and establishes persistence
- PrismexLoader: A loader that retrieves hidden payloads from image files and executes them in memory
- PrismexStager: A backdoor component that uses cloud storage services for command-and-control communication
The use of steganography allows attackers to conceal malicious code within seemingly harmless image files, reducing the likelihood of detection.
Abuse of Cloud Services for Command-and-Control
One of the notable techniques in this campaign is the misuse of legitimate cloud storage services for command-and-control operations. This approach helps attackers blend malicious traffic with normal network activity.
The PRISMEX framework leverages such platforms to maintain communication with infected systems while avoiding traditional security controls.
Use of Open-Source Tools and Destructive Capabilities
The campaign also incorporates the COVENANT framework, an open-source tool commonly used for command-and-control operations.
In some incidents, the deployed payload not only collected sensitive information but also executed destructive commands capable of deleting user data. This indicates that the campaign may serve dual purposes, espionage and sabotage.
Link to Previous Campaigns
Elements of this activity overlap with earlier operations tracked under the name Operation Neusploit, suggesting continuity and evolution in the threat actor’s tactics.
Additionally, components like MiniDoor and NotDoor, previously used by APT28, appear to have been expanded within this new framework.
Strategic Implications
Security experts believe this campaign reflects a shift toward targeting supply chains, logistics networks, and support systems that are critical to Ukraine’s defense operations.
The focus on weather services and humanitarian infrastructure further indicates an intent to disrupt not only military operations but also civilian support mechanisms.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
