{"id":232971,"date":"2026-04-08T09:50:00","date_gmt":"2026-04-08T13:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/08\/apt28-deploys-prismex-malware-in-campaign-targeting-ukraine-and-nato-allies\/"},"modified":"2026-04-09T15:25:09","modified_gmt":"2026-04-09T19:25:09","slug":"apt28-deploys-prismex-malware-in-campaign-targeting-ukraine-and-nato-allies","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/08\/apt28-deploys-prismex-malware-in-campaign-targeting-ukraine-and-nato-allies\/","title":{"rendered":"APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/apt28-deploys-prismex-malware-in.html\">APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/apt28-deploys-prismex-malware-in.html\">https:\/\/thehackernews.com\/2026\/04\/apt28-deploys-prismex-malware-in.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-08 09:50:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Apr 08, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Cloud Security<\/span><\/p>\n<p>The Russian threat actor known\u00a0as <strong>APT28<\/strong> (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite\u00a0codenamed <strong>PRISMEX<\/strong>.<\/p>\n<p>&#8220;PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control,&#8221; Trend Micro researchers Feike Hacquebord and Hiroyuki\u00a0Kakara said in a technical report. The\u00a0campaign is believed to be active since at least \u202fSeptember\u00a02025.<\/p>\n<p>The activity has targeted various sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services, as well as rail logistics (Poland), maritime and transportation (Romania, Slovenia,\u202fTurkey), and logistical support partners involved in ammunition initiatives (Slovakia, Czech Republic), and military and NATO\u00a0partners.<\/p>\n<p>The campaign is notable for the rapid weaponization of newly disclosed flaws, such\u00a0as CVE-2026-21509\u00a0and CVE-2026-21513, to breach targets of interest, with infrastructure preparation observed on January 12, 2026, exactly two weeks before the former was publicly disclosed.<\/p>\n<p>In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10,\u00a02026.<\/p>\n<p>This pattern of zero-day exploitation indicates that the threat actor had advanced knowledge of the vulnerabilities prior to them being revealed by Microsoft.<\/p>\n<p>An interesting overlap between campaigns exploiting the two vulnerabilities is the domain &#8220;wellnesscaremed[.]com.&#8221; This commonality, combined with the timing of the two exploits, has raised the possibility that the threat actors are stringing together CVE-2026-21513 and&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/apt28-deploys-prismex-malware-in.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies https:\/\/thehackernews.com\/2026\/04\/apt28-deploys-prismex-malware-in.html Publish Date: 2026-04-08&#8230;<\/p>\n","protected":false},"author":1,"featured_media":232972,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhBiilqDko4PDmo2Iu-E-25PRzUJ2LygbHdv1RsdA31AkJBL9QB3AzdxV_4j-jo2Xf9wXwlienf17HO_uJyiue3JOWNfTFdln4gXJcounilzPxOsIXpN5g6imDW3ta0jt4Ck3UYinAmWwHZqfxYhjuaFnOIowTmZbNedv3AmS7Qlze1-tD2gkJBuUxTzSml\/s1600\/nato.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,31,32,25,34,27],"class_list":["post-232971","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-exploit","tag-malware","tag-phishing","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232971"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=232971"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232971\/revisions"}],"predecessor-version":[{"id":232973,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232971\/revisions\/232973"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/232972"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=232971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=232971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=232971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}