THE Russian threat actor known as APT28, also called Forest Blizzard and Pawn Storm, has been linked to a spear‑phishing campaign targeting Ukraine and NATO allies to deploy a previously undocumented malware suite named PRISMEX. According to Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara, PRISMEX combines advanced steganography, COM hijacking, and legitimate cloud service abuse for its command-and-control.
The campaign is believed to be active since at least September 2025, with targets across Ukraine’s central executive bodies, hydrometeorology, defence, emergency services, and several European logistics and military partners. The attacks weaponise recent flaws such as CVE-2026-21509 and CVE-2026-21513, with infrastructure preparation observed on 12 January 2026, two weeks before the latter flaw was disclosed.
Prismex components include PrismexSheet, PrismexDrop, PrismexLoader, and PrismexStager, the latter using Filen[.]io for cloud‑storage C2, and the operation is described as an expansion of MiniDoor and NotDoor. The operation, seen as potentially espionage and sabotage‑oriented, is said to mark a strategic shift toward disrupting supply chains and allied weather and humanitarian corridors.