PRISMEX and APT28: the campaign that hides code in images and orchestra espionage and sabotage from the cloud

Security researchers have identified a speed-phishing campaign linked to the group known as APT28 (also referred to as Pawn Storm or Forest Blizzard) that is using an undocumented malware suite so far, named by analysts like PRISMEX. The operation, which is reported to have been active since at least September 2025, combines unusual techniques - such as advanced steganography to hide code within images - with subversion of Windows persistence mechanisms and abuse of legitimate cloud services for remote control.

According to the technical work disseminated by the response community, PRISMEX is not a single binary, but an orchestrated set of components that work in a chain. The attackers start the intrusion by means of directed emails that induce the victim to open documents or shortcuts (.LNK) manipulated. From there, the operation takes advantage of zero-day safety and memory execution techniques to avoid traditional alerts and signatures, and ends up deploying both espionage tools and implanted with destructive capacity.

One of the features that has attracted the attention of the response teams is the speed with which APT28 launched exploits against two newly discovered vulnerabilities, recorded as CVE-2026-21509 and CVE-2026-21513. The preparatory infrastructure for one of these attacks appeared on January 12, 2026, exactly two weeks before the first vulnerability was published publicly, suggesting prior access to own information or analysis on the failures. Parallel investigations further indicated that an explosion based on direct Windows access (.LNK) was uploaded to public repositories such as VirusTotal in late January 2026, before Microsoft released its patch in the February 2026 update cycle, which reinforces the actor's zero-day operating hypothesis.

That time pattern and certain coincidences in infrastructure - for example the domain wellnesscaremed [.] com related to campaigns that exploit both vulnerabilities - they have led analysts to propose a two-stage attack model: the first failure forces the victim system to download a malicious .LNK, and that shortcut takes advantage of the second vulnerability to avoid protection mechanisms and execute useful charges without notification to the user. For details on patch notices and vulnerability monitoring, see the CVE public database and manufacturers' safety guides, where available patches and mitigation are documented ( Microsoft Security Update Guide).

As for the discharge and execution of payloads, PRISMEX uses a mixture of artifacts: Excel documents with macros that extract hidden binaries using steganographic techniques; native droppers that prepare the environment and establish persistence with programmed tasks and kidnapping of DLs COM; and a loader that rebuilds a fragmented payload .NET within the structure of a PNG image by an proprietary algorithm described by researchers as "Bit Planet Round Robin," running it in memory to reduce its disk footprint. A specific module acts as manager and abuses a cloud storage service for command and control communications, which makes it difficult to detect by mixing with legitimate traffic.

The names that are appearing in the analysis - PrismexSheet for the Excel-based dropper, PrismexDrop for the native installer, PrismexLoader (or PixyNetLoader) for the memory extractor and PrismexStager for the component that connects with the C2 in the cloud - are the way in which researchers differentiate the pieces from this chain. The decoy documents usually contain apparently harmless content - analysts have seen decoys related to inventories and drones prices - that persuade the user to enable macros and activate the loading phase.

Another relevant element in the campaign is the use of the open source framework Covenant as a basis for some command and control loads. CERT-UA had already pointed out in 2025 the use of this family of tools by actors aligned with Russia, and subsequent reports have documented how variants of the agent (known as "grunt" in certain ecosystems) have been modified to integrate collection functions and, in at least one incident observed in October 2025, to execute commands that remove files under the user directory, behavior of a wiper. That double vector - espionage and sabotaging capacity - is one of the reasons why cyber-defense leaders draw attention to this actor.

The geography of the objectives confirms a strategic pattern: in addition to multiple Ukrainian state agencies (including central executive entities, meteorological services, defence and emergencies), the campaign reached actors in partner and partner countries, with reported impacts on railway logistics sectors in Poland, maritime transport in Romania and Slovenia, operators in Turkey and logistical support related to municipal initiatives in Slovakia and the Czech Republic. The apparent objective is not limited to the theft of information, but seems to be aimed at compromising supply chains, operational capacities and humanitarian routes that support efforts on the ground.

Some parts of this operation had already been described by other threat laboratories; for example, Zscaler documented aspects of the activity with the nickname Operation Neusploit and different response teams have been tracking the evolution of the tools and infrastructure used. Public analysis and intelligence databases recommend paying special attention to indicators such as the appearance of suspicious .LNK files, office documents with macros that extract hidden resources, unusual download patterns from seemingly benign domains and communications with cloud storage services that do not fit the user's normal activity.

For security teams that manage critical infrastructure and organizations with links to logistics and defence chains, the lessons are clear: quickly patching known vulnerabilities, deploy controls that block the execution of .LNK and unauthorized macros, monitor the use of COM and the load of DLs from unusual routes, and apply telemetry focused on detecting steganography and memory executions. In addition, it is essential to segalize access to cloud services and enable detections that identify covert exfiltration patterns to external repositories.

In short, the appearance of PRISMEX and the speed with which APT28 has integrated newly discovered failures into attack chains show that advanced groups continue to refine their ability to operate in silence and with double purpose: to extract intelligence and, if appropriate, to cause operational damage. The combination of new techniques and the abuse of public or commercial services means that the defence has to be adapted with more proactive controls and closer collaboration between suppliers, response teams and authorities.

Recommended sources and readings: the technical analyses and notices of manufacturers and response centres provide continuous details and updates, including the research pages of security companies and public vulnerability repositories ( Trend Micro Research), the NIST CVE database ( NVD), notices and guides of the supplier ( Microsoft Security Response Center), and reports from other laboratories such as Zscaler ThreatLabz and analysis of infrastructure in technical blogs and equipment such as Akamai. To understand the C2 tool in several reports, the repository of Covenant and for information on services used as a C2 platform, the supplier's site ( Filen) provides context for its public services.