APT28 Targets Ukraine and NATO Allies with New PRISMEX Malware

The Russian state-sponsored APT group APT28 (also tracked as Forest Blizzard, Pawn Storm, and Fancy Bear) has initiated a new wave of cyberattacks. According to The Hacker News, the group is deploying a previously undocumented malware suite identified as PRISMEX. This campaign specifically focuses on government and military entities within Ukraine and several NATO member states, signaling a continued focus on geopolitical intelligence gathering.

The malware suite is characterized by its sophisticated evasion techniques and reliance on legitimate infrastructure to bypass traditional security controls. Security researchers at Trend Micro have highlighted the use of advanced steganography and Component Object Model (COM) hijacking as primary TTP sets for this threat.

Technical Analysis of the PRISMEX Suite

The initial entry point for these attacks remains Phishing, with spear-phishing emails containing malicious attachments or links designed to lure targets into executing the first stage of the infection. Once inside a network, the malware employs complex methods to maintain a low profile.

How to Detect PRISMEX COM Hijacking

A core component of the PRISMEX infection chain involves COM hijacking. By modifying specific registry keys, the malware ensures that its malicious DLLs are loaded instead of legitimate system components when certain Windows functions are called. This method is effective for achieving persistence without creating suspicious new services or startup items that often trigger an EDR alert. Security teams should prioritize monitoring registry keys under HKEY_CURRENT_USER\Software\Classes\CLSID for unauthorized changes, as this is a common indicator of this technique.

Furthermore, PRISMEX utilizes advanced steganography to hide its configuration files and additional payloads within seemingly harmless image files. This allows the malware to move data across the network while evading signature-based detection systems. The hidden data is only decrypted in memory during execution, making static analysis significantly more difficult for SOC analysts.

Command-and-Control via Cloud Service Abuse

The PRISMEX C2 architecture leverages legitimate cloud service providers to mask its traffic. By using well-known domains and encrypted channels, the malware blends in with standard corporate network traffic. This abuse of trusted cloud infrastructure complicates the identification of IoC sets related to network communications. The malware’s ability to communicate with its controllers via these services ensures that it can receive instructions and exfiltrate data while remaining undetected for extended periods.

Strategic Implications of APT28 Targeting Ukraine and NATO Allies

The timing and targeting of this campaign underscore the strategic priorities of the Russian Federation. The activity involving APT28 targeting Ukraine and NATO allies serves as a reminder that state-sponsored actors are constantly refining their toolsets to overcome modern defenses. By deploying the undocumented PRISMEX suite, APT28 demonstrates a capability to develop bespoke malware tailored for high-stakes espionage.

The use of PRISMEX highlights a shift toward more modular and stealthy malware designs. Organizations must move beyond basic perimeter defenses and adopt a strategy aligned with MITRE ATT&CK frameworks to identify the behavioral patterns associated with these advanced threats.

Mitigation and Detection Recommendations

Defenders must adopt a multi-layered approach to mitigate the risks posed by PRISMEX. Effective APT28 PRISMEX malware detection requires a combination of endpoint visibility and network behavioral analysis.

1. Monitor for COM Hijacking: Audit registry modifications, specifically those targeting CLSID entries that redirect legitimate COM object lookups to unofficial file paths.
2. Enhanced Email Security: Implement advanced threat protection for email to identify and sandbox spear-phishing lures before they reach the end user.
3. Cloud Traffic Inspection: Use SSL/TLS inspection to analyze traffic to cloud services, looking for anomalous patterns or connections to non-standard API endpoints.
4. Endpoint Hardening: Restrict administrative privileges to prevent the registry modifications required for COM hijacking and deploy EDR solutions configured to alert on suspicious process injection.

By focusing on these technical controls, organizations can better defend against the sophisticated techniques employed by APT28 in their latest offensive operations.