APT28 — the Russian military intelligence (GRU) threat actor also tracked as Forest Blizzard and Pawn Storm — has been linked to a fresh targeted spear-phishing campaign deploying a previously undocumented malware suite codenamed PRISMEX. The campaign focuses on government agencies, defence contractors, and military organizations across Ukraine and NATO member states.
PRISMEX: What Makes It Different
PRISMEX represents a notable leap in APT28's offensive tooling, combining several advanced techniques into a single, modular framework:
Advanced Steganography
PRISMEX conceals its malicious payload within ordinary-looking document files and image attachments distributed via spear-phishing emails. Specifically, researchers note that the malware embeds encoded shellcode inside JPEG metadata fields and Office document thumbnails — file types that are rarely scrutinized by email security gateways or endpoint detection tools.
The steganographic layer serves a dual purpose: it allows PRISMEX to bypass signature-based detection at the email perimeter, and it makes post-incident forensic analysis significantly harder since the "dropper" file appears legitimate to casual inspection.
COM Object Hijacking for Persistence
Once the initial payload executes on the target system, PRISMEX establishes persistence through Component Object Model (COM) hijacking — a well-known but consistently effective Windows persistence mechanism. By registering a malicious COM object under a user-writable registry key that is loaded by a legitimate Windows application, PRISMEX survives reboots and evades many host-based detection tools that focus on more common persistence mechanisms such as run keys and scheduled tasks.
This technique has particular advantages in enterprise environments where COM invocations are routine and difficult to baseline, and where defenders may not have COM registry monitoring in place.
Multi-Stage Loader Architecture
PRISMEX follows a multi-stage architecture common to sophisticated nation-state toolkits:
| Stage | Component | Purpose |
|---|---|---|
| Stage 1 | Document dropper | Steganographically concealed initial shellcode |
| Stage 2 | Loader DLL | Decodes and injects Stage 3, establishes COM persistence |
| Stage 3 | PRISMEX core | C2 communication, credential harvesting, lateral movement |
This modular design means that even if one stage is detected and removed, the remaining components may continue to operate, and the attacker can redeploy individual stages without full re-compromise.
Campaign Targeting
The campaign specifically targets entities that represent strategic intelligence priorities for Russian military operations:
- Ukrainian government ministries and defence agencies
- NATO member state foreign affairs and defence departments
- Defence industrial base organizations supplying Ukraine or conducting R&D for NATO capabilities
- Think tanks and policy organizations advising on Eastern European security
Initial access is achieved through highly targeted spear-phishing emails that reference credible geopolitical topics — including fabricated diplomatic correspondence, military aid documents, and NATO exercise briefings — crafted to compel recipients to open attached documents or click embedded links.
APT28 Attribution
APT28 (also known as Fancy Bear, STRONTIUM, and Sednit) is one of Russia's most active and well-documented cyber espionage groups, assessed by multiple intelligence agencies as operating under the direction of GRU Military Unit 26165. The group has been linked to a long history of high-profile intrusions including:
- The 2016 Democratic National Committee breach
- The hack of the World Anti-Doping Agency (WADA)
- The 2017 French presidential election infrastructure attack
- Ongoing campaigns against Ukrainian critical infrastructure since 2022
PRISMEX expands APT28's known malware ecosystem, which already includes X-Agent, Sofacy, Komplex, and Zebrocy.
Indicators of Compromise
Researchers have shared the following PRISMEX indicators:
# Suspicious COM registry persistence locations
HKCU\Software\Classes\CLSID\{<PRISMEX-CLSID>}\InprocServer32
# Known PRISMEX C2 beacon patterns
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1) [spoofed IE header]
C2 beacon interval: 60–300 seconds with jitter
# File characteristics (initial dropper)
- .docx or .pdf with oversized EXIF/metadata fields
- thumbnail streams containing non-image binary data
- JPEG files with payload >20% larger than expected for resolution
# Registry artifacts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run entries referencing wscript.exe or rundll32.exe
Detection and Mitigation
| Defensive Action | Detail |
|---|---|
| Email filtering | Block or heavily scrutinize Office documents with macros from external senders; scan JPEG/image attachments with content analysis tools |
| COM monitoring | Monitor HKCU COM registry modifications — user-writable COM keys are rarely modified legitimately |
| UEBA / behavioral detection | Flag unusual process chains involving wscript.exe, rundll32.exe, or mshta.exe spawned from Office applications |
| Endpoint hardening | Apply Attack Surface Reduction (ASR) rules blocking Office from creating child processes |
| Network detection | Monitor for C2 beaconing patterns — regular, low-volume outbound connections to newly registered domains |
| Credential hygiene | Assume credentials on targeted systems may be harvested; enforce MFA across all remote access |
Organizations in government, defence, and critical infrastructure sectors operating within or closely aligned to NATO should treat PRISMEX as an active threat and conduct targeted threat hunts based on the published indicators.
Broader Geopolitical Context
This campaign aligns with a sustained pattern of Russian cyber operations aimed at gathering strategic intelligence on Western military support for Ukraine and NATO's posture along its eastern flank. As the conflict in Ukraine continues to shape European security policy, GRU-linked threat actors including APT28 are expected to intensify their intelligence-gathering activities against precisely the type of organizations targeted in this campaign.
Source: The Hacker News — APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies