**APT28** Linked to Spear-Phishing Campaign **APT28**, a Russian state-sponsored group, has been linked to a new spear-phishing campaign targeting Ukraine and its allies. The campaign deploys a previously undocumented malware suite dubbed **PRISMEX**. According to **Trend Micro** researchers Feike Hacquebord and Hiroyuki Kakara, "**PRISMEX** combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control." The campaign is believed to have been active since at least September 2025. Targeted Sectors The activity has targeted various sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services. It has also impacted rail logistics in Poland, maritime and transportation in Romania, Slovenia, and Turkey, as well as logistical support partners involved in ammunition initiatives in Slovakia and the Czech Republic, and military and **NATO** partners. Exploitation of Recent Vulnerabilities The campaign is notable for its rapid weaponization of newly disclosed flaws, such as **CVE-2026-21509** and **CVE-2026-21513**, to breach targets of interest. Infrastructure preparation was observed on January 12, 2026, just two weeks before **CVE-2026-21509** was publicly disclosed. In late February 2025, **Akamai** also revealed that **APT28** may have weaponized **CVE-2026-21513** as a zero-day based on a **Microsoft** Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the patch was released on February 10, 2026. This pattern suggests that the threat actor had prior knowledge of the vulnerabilities. Two-Stage Attack Chain An interesting overlap between campaigns exploiting the two vulnerabilities is the domain "wellnesscaremed[.]com." This commonality, combined with the timing of the two exploits, suggests that the threat actors are stringing together **CVE-2026-21513** and **CVE-2026-21509** into a sophisticated two-stage attack chain. **Trend Micro** theorizes that "The first vulnerability (**CVE-2026-21509**) forces the victim's system to retrieve a malicious .LNK file, which then exploits the second vulnerability (**CVE-2026-21513**) to bypass security features and execute payloads without user warnings." PRISMEX Malware Components The attacks culminate in the deployment of either MiniDoor, an Outlook email stealer, or a collection of interconnected malware components collectively known as **PRISMEX**, named for its use of steganography. These include: * **PrismexSheet**: A malicious Excel dropper with VBA macros that extracts payloads embedded within the file using steganography, establishes persistence via COM hijacking, and displays a decoy document related to drone inventory lists and drone prices after macros are enabled. * **PrismexDrop**: A native dropper that readies the environment for follow-on exploitation and uses scheduled tasks and COM DLL hijacking for persistence. * **PrismexLoader** (aka PixyNetLoader): A proxy DLL that extracts the next-stage .NET payload scattered across a PNG image's ("SplashScreen.png") file structure using a bespoke "Bit Plane Round Robin" algorithm and runs it entirely in memory. * **PrismexStager**: A COVENANT Grunt implant that abuses Filen.io cloud storage for C2. Operation Neusploit Some aspects of the campaign were previously documented by **Zscaler** ThreatLabz under the moniker Operation Neusploit. COVENANT Framework and Destructive Capabilities **APT28**'s use of **COVENANT**, an open-source command-and-control (C2) framework, was first highlighted by the Computer Emergency Response Team of Ukraine (**CERT-UA**) in June 2025. PrismexStager is assessed to be an expansion of MiniDoor and NotDoor (aka GONEPOSTAL), a **Microsoft** Outlook backdoor deployed by the hacking group in late 2025. In at least one incident in October 2025, the **COVENANT** Grunt payload was found to not only facilitate information gathering but also run a destructive wiper command that erases all files under the "%USERPROFILE%" directory. This dual capability suggests these campaigns could be designed for both espionage and sabotage. Strategic Implications "This operation demonstrates that Pawn Storm remains one of the most aggressive Russia-aligned intrusion sets," **Trend Micro** said. "The targeting pattern reveals a strategic intent to compromise the supply chain and operational planning capabilities of Ukraine and its **NATO** partners." "The strategic focus on targeting the supply chains, weather services, and humanitarian corridors supporting Ukraine represents a shift toward operational disruption that may presage more destructive activities."