APT28 Unleashes PRISMEX Malware in Coordinated Cyber Offensive Against Ukraine and NATO Supply Chains

A stealthy malware framework, zero-day exploitation, and supply chain targeting signal a dangerous evolution in state-backed cyber warfare

A New Phase in Cyber Warfare

The Russian state-linked group APT28 has intensified its cyber operations by deploying a new malware suite called PRISMEX. This campaign goes beyond espionage and focuses on disrupting critical operations across Ukraine and NATO-aligned countries.

The attackers targeted government agencies, defense units, and emergency services in Ukraine. At the same time, they expanded their reach to logistics and transportation sectors across Poland, Romania, Turkey, and other European regions. As a result, the campaign aims to weaken supply chains that support Ukraine’s operations.

Zero-Day Exploits Used with Precision

APT28 used newly discovered vulnerabilities, including CVE-2026-21509 and CVE-2026-21513, before vendors released patches. This early exploitation shows that the attackers had prior knowledge of these flaws.

The attack chain works in two stages. First, a malicious shortcut file enters the system. Then, it triggers a second exploit that bypasses security controls and executes the payload without user warning. This approach allows attackers to move quickly and silently.

How PRISMEX Evades Detection

PRISMEX uses advanced techniques to stay hidden. Instead of delivering obvious malicious files, it hides payloads inside image files using steganography. The malware extracts and runs these payloads directly in memory, which makes detection difficult.

It also maintains persistence through COM hijacking and scheduled tasks. Additionally, it uses legitimate cloud services for command-and-control communication. Because of this, security tools often struggle to distinguish between normal and malicious activity.

From Espionage to Destruction

This campaign does more than collect intelligence. Some payloads steal emails and sensitive data, while others can destroy systems.

In one observed case, the malware erased files from the user’s system. This shows that APT28 can switch from surveillance to disruption at any time. Therefore, the campaign presents both intelligence and operational risks.

Why This Campaign Matters Globally

APT28 has shifted its focus from isolated targets to entire ecosystems. By attacking logistics, weather systems, and supply networks, the group can disrupt real-world operations without direct confrontation.

For organizations in the UAE and GCC, this is a critical warning. Many businesses depend on global logistics and digital infrastructure. If attackers target supply chains, the impact can spread quickly across regions.

What Organizations Should Do Next

Organizations must strengthen their defenses against stealth-based attacks. They should prioritize patch management, monitor unusual system behavior, and improve visibility across supply chains.

Additionally, security teams should focus on detecting in-memory attacks and suspicious use of legitimate services. A proactive approach will help reduce exposure to advanced threat actors like APT28.