The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX.
“PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control,” Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara said in a technical report. The campaign is believed to be active since at least  September 2025.
The activity has targeted various sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services, as well as rail logistics (Poland), maritime and transportation (Romania, Slovenia, Turkey), and logistical support partners involved in ammunition initiatives (Slovakia, Czech Republic), and military and NATO partners.
The campaign is notable for the rapid weaponization of newly disclosed flaws, such as CVE-2026-21509 and CVE-2026-21513, to breach targets of interest, with infrastructure preparation observed on January 12, 2026, exactly two weeks before the former was publicly disclosed.
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
This pattern of zero-day exploitation indicates that the threat actor had advanced knowledge of the vulnerabilities prior to them being revealed by Microsoft.
An interesting overlap between campaigns exploiting the two vulnerabilities is the domain “wellnesscaremed[.]com.” This commonality, combined with the timing of the two exploits, has raised the possibility that the threat actors are stringing together CVE-2026-21513 and CVE-2026-21509 into a sophisticated two-stage attack chain.
“The first vulnerability (CVE-2026-21509) forces the victim’s system to retrieve a malicious .LNKÂ file, which then exploits the second vulnerability (CVE-2026-21513) to bypass security features and execute payloads without user warnings,” Trend Micro theorized.
The attacks culminate in the deployment of either MiniDoor, an Outlook email stealer, or a collection of interconnected malware components collectively known as PRISMEX, so named for the use of a steganographic technique to conceal payloads within image files. These include –
- PrismexSheet, a malicious Excel dropper with VBA macros that extracts payloads embedded within the file using steganography, establishes persistence via COM hijacking, and displays a decoy document related to drone inventory lists and drone prices after macros are enabled.
- PrismexDrop, a native dropper that readies the environment for follow-on exploitation and uses scheduled tasks and COM DLL…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
