TRENDAI attributes the activity to the APT28 group with high confidence, detailing a spear-phishing campaign against Ukraine and its allies that distributes a new PRISMEX malware suite. The campaign, active since September 2025, uses stealth techniques such as steganography and COM hijacking to target defence systems and aid infrastructure for long-running espionage, with PrismexDrop, PrismexLoader and PrismexStager enabling fileless execution and encrypted command-and-control via cloud services like Filen[.]io.
Victims are lured with emails about military training, weather alerts or weapon smuggling, where opening an attached RTF triggers exploitation of CVE-2026-21509 and a subsequent LNK payload that may leverage CVE-2026-21513 to bypass browser protections.
The operation focuses on Ukraine’s defence supply chain and related logistics, extending to NATO-linked hubs in Poland, Romania and Slovakia, and is described as an evolution of the NotDoor lineage, combining Covenant-based stagers with a native dropper and loader for covert persistence. According to Trend Micro’s report, Prismex components use a Bit Plane Round Robin steganography method and rely on Filen[.]io for C&C to blend malicious traffic with legitimate encrypted traffic, complicating detection.