Russian state-sponsored threat actor APT28 — also known as Fancy Bear, Forest Blizzard, and BlueDelta — has launched a sophisticated new espionage campaign deploying a previously undocumented malware suite codenamed PRISMEX. The campaign, tracked by Trend Micro and The Hacker News, targets Ukrainian defense organizations and Western NATO allies providing humanitarian and military aid infrastructure to Ukraine.
What Is PRISMEX?
PRISMEX is a modular, multi-stage malware framework that represents a significant evolution in APT28’s tradecraft. Security researchers describe it as combining three advanced techniques that, when used together, make detection and attribution considerably more difficult:
- Advanced steganography: PRISMEX conceals its command-and-control (C2) instructions and exfiltrated data within image files hosted on legitimate cloud platforms, making malicious traffic indistinguishable from normal web browsing at the network layer.
- COM hijacking: The malware leverages Component Object Model (COM) hijacking on Windows systems to achieve persistence and privilege escalation without writing new files to disk — a technique that evades many file-based detection mechanisms.
- Legitimate cloud service abuse: APT28 is routing C2 communications through trusted cloud storage and collaboration services, including major platforms widely used by the targeted organizations themselves, making network-level blocking impractical without significant operational disruption.
Targets and Campaign Scope
The PRISMEX campaign appears to have been active since at least late February 2026, with the earliest confirmed intrusions dated to the final week of that month. Confirmed and suspected target sectors include:
- Ukrainian Ministry of Defence contractors and logistics providers
- NATO member-state defense ministries, particularly in Poland, the Czech Republic, and the Baltic states
- Western NGOs and humanitarian organizations operating aid corridors into Ukraine
- European defense industrial base companies involved in weapons and ammunition production
Initial access vectors identified so far include spear-phishing emails with lure documents themed around NATO logistics protocols, military procurement notices, and humanitarian aid coordination requests. The sophistication of the lures suggests detailed reconnaissance of the targeted organizations was conducted beforehand.
Technical Indicators and Attribution
Trend Micro’s Pawn Storm tracking team, which has monitored APT28 continuously for over a decade, attributes the PRISMEX campaign with high confidence based on:
- Overlapping infrastructure with previously documented APT28 C2 nodes
- Code-level similarities with older APT28 tools, including X-Agent and Sofacy derivatives
- Victimology consistent with APT28’s long-running focus on Ukraine and NATO eastern flank nations
- Operational security patterns (working hours, language artifacts) consistent with Moscow Standard Time operations
APT28’s Parallel Router Hijacking Campaign
Concurrently with the PRISMEX campaign, APT28 has been conducting a separate operation targeting Small Office/Home Office (SOHO) routers. The group modifies DNS settings on compromised routers to redirect traffic through attacker-controlled servers, enabling passive interception of unencrypted communications and credential harvesting. This campaign appears designed to create a persistent, distributed surveillance network that complements the targeted PRISMEX intrusions.
Defensive Recommendations
Organizations in the defense, government, and NGO sectors — particularly those with any connection to Ukraine-related operations — should take immediate action:
- Conduct a threat hunt for PRISMEX indicators of compromise (IoCs) published by Trend Micro and The Hacker News
- Enable enhanced logging for COM object instantiation and registry modifications associated with COM hijacking
- Review egress traffic to cloud storage platforms for anomalous data volumes or unexpected API call patterns
- Audit SOHO router configurations for unauthorized DNS server changes in both corporate and remote-work environments
- Brief staff on the specific phishing lure themes identified in this campaign: NATO logistics, procurement, and humanitarian aid documents
APT28’s continued operational tempo and rapid tooling evolution underscore that the group remains one of the most capable and persistent adversaries in the global threat landscape. PRISMEX represents a new chapter in their campaign against Western support for Ukraine.