The Russian state-sponsored hacking group APT28 is deploying a sophisticated new malware suite called PRISMEX to target Ukrainian government agencies, military infrastructure, and various NATO-aligned logistics partners.

Key Points

• APT28, also known as Pawn Storm, has been active since September 2025 using spear-phishing to compromise defense, maritime, and rail logistics sectors.
• The PRISMEX malware suite utilizes advanced steganography, COM hijacking, and cloud service abuse to maintain command-and-control communications.
• Attackers are weaponizing zero-day vulnerabilities, including CVE-2026-21509 and CVE-2026-21513, to bypass security features and execute malicious payloads without user interaction.
• The campaign features a two-stage attack chain that can deploy either the MiniDoor email stealer or destructive wiper commands to erase user files.
• Infrastructure preparation for these attacks was observed as early as January 2026, weeks before the associated software vulnerabilities were publicly disclosed by Microsoft.

Why it Matters

This campaign highlights a strategic shift by Russian-aligned actors toward disrupting the supply chains and operational planning capabilities of Ukraine and its international allies. The use of zero-day exploits and destructive wiper malware suggests that these operations are evolving from simple espionage into more aggressive, high-impact sabotage efforts.